PChucks Network: Name Resolution

Showing posts with label Name Resolution. Show all posts

Advanced Windows Networking Using Internet Protocol

Windows Networking is the subsystem that lets you share files and printers, between computers running the various versions of Windows. Server Message Blocks, also called SMBs, are the foundation of Windows Networking. SMBs provide several crucial functions.

Help the computers to share data.
Let them know what data is available, to be shared.
Possibly, help them to identify the addresses of the other computers, which have the shared data.

(Note): If you're not familiar with the concept of network layers, take a few moments and read about the OSI Network Model.

SMBs are not transported directly over the various physical networking components, as Layer 1 or 2 traffic. SMBs may be transported over Internet Protocol (IP), as well as alternate protocols like IPX/SPX or NetBEUI.

Windows Networking has historically used NetBIOS Over TCP/IP (NetBT) as an intermediate transport for SMBs over IP. Windows 2000, XP, and Vista however, will transport SMBs over IP, without NetBT, using directly hosted SMBs.

To remain compatible with the older versions of Windows, a Windows Networking client, running Windows 2000, Windows XP, or Windows Vista, can use either directly hosted SMBs, or it can use NetBT. If any server supports directly hosted SMBs, the client computer in question will bypass NetBT, when communicating with that specific server.

This dual compatibility, which allows Windows 2000 / XP / Vista clients to communicate with computers running other editions of Windows, is not without cost. Trying for two communications channels, when establishing a connection with any server, increases program complexity and network traffic. In some cases, it may increase latency.

We need to resolve one major misconception. It may appear that when you Disable NetBT, you are disabling Windows Networking over IP. This is not correct. When you Disable NetBT, you are merely disabling hosting of SMBs over NetBT. You then end up with SMBs hosted directly over IP. But look at address resolution on your LAN, before trying this. Don't make this change blindly.

If your LAN

Has a domain.
Has computers running only Windows 2000, Windows 2002 (aka Windows XP), Windows 2003 (aka Server 2003), Windows 2006 (aka Vista), and Windows 2009 (aka Windows 7).
Uses DNS, properly setup, for name resolution.

then you may wish to Disable NetBT, and (KB204279): use directly hosted SMBs. If any of the above are not true, you should Enable NetBIOS Over TCP/IP. Be consistent on all computers.

In the TCP/IP Properties - Advanced wizard, WINS, select Disable NetBIOS Over TCP/IP. Alternately, if you have the Default NetBIOS setting selected (instead of "Disable" or "Enable") on your client computers, and you have a DHCP server (not a NAT router with DHCP), you can disable NetBT from a DHCP server setting.

If you use directly hosted SMBs, whether alternately or exclusively, be aware of the security implications.

NetBT uses TCP and UDP ports 137 - 139.
Direct hosted SMBs use TCP port 445.

Be sure that all personal firewalls have the proper ports opened.

Here are the relevant ports used by SMBs over NetBT, per IANA port number allocation:

netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-dgm 138/udp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS Session Service
netbios-ssn 139/udp NETBIOS Session Service

And the relevant ports used by directly hosted SMBs:

microsoft-ds 445/tcp Microsoft-DS
microsoft-ds 445/udp Microsoft-DS

Similar to the effect of a personal firewall, SMBs can be setup to use secure channel communication, by using SMB Authentication and Encryption. If you ever see

The account is not authorized to log in from this station.

then check SMB Encryption and Signing settings.

And, if you have an integrated security suite (previously sold as anti-virus protection), you may have an anti-worm component protecting you. Anti-worm protection, if not correctly configured, may interfere with any or all of the above NetBT traffic. Different brands of products will cause different problems.

For more information:

General information about NetBT and SMBs: Microsoft: MS Windows NT Browser. Depending upon how your browser displays the page, you may want to use the link at the top of the page Microsoft TCP/IP and Name Resolution.
Name Resolution: PChuck: Address Resolution on the LAN.
NT Browser: PChuck: The NT Browser (or Why can't I always see all of the computers on the LAN?).

>> Top

Bad Websites? Don't Go There

One of the best ways of protecting your computer from websites which serve malicious content is not to go to those websites. If their content includes malicious code, why would you think that any of their content is desirable? Don't go there, or if you do, go armed with knowledge.

If you must surf to dodgy web sites, know which web sites are known to be malicious. The power of the Internet includes online, real time advice from the good guys.

Besides online malicious web site analysis, the classic protection strategy was plain old avoidance. Various security experts provide lists of websites that you should avoid, and they distribute the lists on the web. These lists are pretty big, and change frequently - generally each month. And, to prevent you from having to examine a list, by hand, each time you consider following a given link, you put these lists into the Hosts file on your computer, and let the computer do the work for you.

You can get a Hosts file from several trusted sources.

HPGuru.
MVPS.
As part of Spybot S&D.

The Hosts file is a simple text file, stored in a recognised location on your computer. The operating system finds it from registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath]. Generally, this entry points to "%SystemRoot%\System32\drivers\etc", though malicious software, if installed on your computer, may change this entry.

If you use a Hosts file from only one of the above sources, you'll simply copy the file into the folder, as discussed above. If you do as I do, and use combined sources (since each source has different criteria what undesirable content is out there), you'll not want to edit and merge the file by hand. So there are several tools for doing this.

All of the above are free, and reliable. But, if you're skeptical about whether to trust any of the sources listed above, that's good. Do some research.

With exception to the issue below, using a Hosts file, as part of a layered security strategy, is simple yet effective. Use of the Hosts file is built in to every network operating system that uses Internet Protocol. Installing the Hosts file simply consists of merging entries into the existing file (as described above), or copying a file into the folder, if there is none in use right now.

Now, using a Hosts file is not without cost. A Hosts file entry identifies one individual subdomain, in any given domain. If "hackersrus.net" has separate addresses for "servera", "serverb", and "serverc", you'll need

127.0.0.1 servera.hackersrus.net
127.0.0.1 serverb.hackersrus.net
127.0.0.1 serverc.hackersrus.net

and this can make the Hosts file pretty large. With the HPGuru Hosts file, the file is well over 1M in size.

If you're running the DNS Client service, which provides a centrally managed DNS / Hosts lookup, the Hosts file is cached automatically. When the system starts up, and anytime you update the Hosts file, the DNS Client service will recache the file. This is a very CPU intensive process - on my computer (the last time I used it), the service would take 10 - 15 minutes to cache the file; during that time, the computer was pretty useless.

The solution, in that case, is to Stop and Disable the DNS Client service.

This should be a relevant issue only on small LANs that don't have a dedicated DNS server. If your domain includes a DNS server for local name resolution, you need to setup both the clients and the server very carefully. In that case, you'll want to centralise your website blocking, not have separate files on each client. If you don't have a dedicated DNS server, there are free DNS server utilities, that will provide local caching of DNS information, without having to precache the Hosts file.

Note one of the downsides of Hosts file based protection is latency. For you to surf safely, you have to be using the most up to date Hosts file. How often do you intend to update yours? If your Internet activity consists mainly of browsing, a browser add-on that references an online database makes much more sense.

>> Top

NetBIOS Over TCP/IP

Microsoft Windows, in its default state, uses TCP/IP, and NetBIOS Over TCP/IP, for networking. Sometimes, we forget this detail. NetBT is so easily overlooked, yet it is essential.

If we are looking at the output from "ipconfig /all", and we see


        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        NetBIOS over Tcpip. . . . . . . . : Disabled
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12

Obviously, we're going to correct that. But what if we simply see


        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12

Do we see any problem there? Probably not. Look in the TCP/IP - Advanced Properties wizard, WINS tab. There are 3 possible settings for NetBIOS Over TCP/IP

Default.
Enable.
Disable.

The last setting, Disable, becomes apparent when we see the first example above. But what if if we see the second example above? Well, that display can result from either the "Default", or the "Enable" setting. If it's not showing Disabled, it could be either.

The Default setting, according to the wizard, is for

Use NetBIOS setting from the DHCP server.

If your LAN

Has a domain.
Has computers running only Windows 2000, Windows 2002 (aka Windows XP), and Windows 2003 (aka Server 2003).
Uses DNS, properly setup, for name resolution.

then you may wish to disable NetBT, and use directly hosted SMBs.

But what if your LAN has a NAT router providing DHCP services, and / or has no domain? NAT routers are Operating System independent, and NetBT is a Microsoft Windows Networking feature. NAT routers have no setting for NetBIOS Over TCP/IP. If you select "Default", and you have a NAT router, what network functionality do you get?

The challenge is that this one setting affects multiple functions between your computer, and other computers, in both directions.

Browsing: Ability to see other computers.
File sharing: Ability to access resources on other computers.
Name resolution: Ability to find out the addresses of other computers.

Depending upon what network hardware and software you have, any or all of the above functions may or may not work, in either direction (incoming or outgoing), between any pair of computers. And each different pair of computers may yield a different set of symptoms. If you have a NAT router providing DHCP services, the only way to deal with this reliably is to Enable NetBT consistently, on all computers.

In the TCP/IP - Advanced Properties - WINS wizard for all relevant network connections,

Select the radio button "Enable NetBIOS over TCP/IP".
Hit OK 3 times.
Close Network Connections, after enabling NetBT on all relevant network connections.

If you still see


        NetBIOS over Tcpip. . . . . . . . : Disabled

after Enabling NetBT, check the TCP/IP NetBIOS Helper service.

Be safe - don't settle for "Default".

>> Top

The DNS Server Settings On Your Computer

Domain Name Services, or DNS, is a critical service on almost all Local and Wide Area Networks. DNS is used for host name to IP address resolution of all Internet hosts, many WAN hosts, and may be used for address resolution of LAN hosts too. DNS resolution is so important that Windows supports configuration of 2 DNS servers in basic IP configuration; with more work, you can define even 3 or more DNS servers. Many NAT routers will let you define up to 3 DNS servers.

Any time you try to access a server on the Internet, and get "server not found" or "unknown host", check your DNS server settings. Run "ipconfig /all", and look for the DNS servers entry, such as:


        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33

The DNS server sequence is important. When DNS resolution is needed, server #1 is queried first. If server #1 is busy or otherwise unavailable, server #2 is used in that query, and all subsequent queries. If server #2 is needed to provide a backup to server #1, server #1 may not be used again, until you reset the computer or router. This behaviour is not consistent, though, some DNS clients may always try DNS Server #1 first, then #2, and finally (if defined), #3.

If you're researching a problem where the symptoms indicate a DNS issue, and the problem isn't consistent between computers, compare the DNS server settings on each computer.

If all DNS servers in the sequence don't have balanced ability (availability, capacity, connection to higher level DNS server), you can get to a situation where the next server in the sequence is used, and won't provide consistent service. Resetting the DNS client, generally by restarting the computer or router, after DNS server #1 is returned to service, is the normal recovery from this problem.

Recognising a DNS problem may not be easy, though. Without some minimal diagnosis, a DNS problem can be confused with a physical connectivity problem, a security problem, or even a simple CKI fault.

The long term solution, for a DNS server sequence problem, is to have a properly balanced DNS server sequence. Many networks plan their primary DNS server very carefully, and throw a surplus (generally old and underpowered) computer in as the secondary. Some networks may even have 2 primary servers (with the clients split between the two), and an single, surplus, secondary.

What happens when the primary DNS server goes down? If your clients are using the secondary server suddenly, and it doesn't have the same capacity as the primary server, you're going to have performance problems. Make sure that your backup server is equal to the task of replacing, even temporarily, the primary server. Remember that the clients will be using the backup server, after the primary server comes back online. And if there's a chance that a secondary DNS server will be in use during an outage of other equipment, don't compound the stress. The stress that your clients experience will be passed on to you, generally doubled.

If you relay DNS requests to external DNS servers, and ones that you don't control, again try to specify servers of equal ability. Also, make sure that both external servers have good servers feeding them, and that they are secured against exploits that would permit pharming. If, for any reason, some of your clients are using the backup external server, and others the primary, both servers need to be able to resolve your DNS queries properly. If either server filters addresses differently, for instance, you'll have some clients able to access websites that other clients can't. Again, more stress for you.

If you're using DNS for address resolution on your LAN, make sure that both the server and all clients are setup properly.

If your Internet service goes thru a NAT router, you may be using the NAT router as a DNS relay.

If you think that you have a DNS problem, but aren't quite sure, read Identifying A DNS Problem In Your Internet Service.

>> Top

Using A Hosts File For Security

One of the simplest ways of protecting yourself against outbound traffic to known malicious websites is with a Hosts file. If you want to prevent access to a known malicious website, for instance, www.badhacker.org, you would add an entry

127.0.0.1 www.badhacker.org

Using a Hosts file in this way has its pluses and its minuses.

Pluses.

A Hosts file requires no software installation. The Hosts file is referenced, natively, by every IP stack in every operating system.
A Hosts file is universally used. There are multiple well known and reliable providers of free Hosts files, which define known malicious websites.
- HPGuru.
- MVPS.

Minuses

Each entry defines precisely one website. The entry

127.0.0.1 www.badhacker.org

blocks access to only www.badhacker.org. A separate entry is required for badhacker.org, and another for www1.badhacker.org.
The Hosts file will become quite large. The HPGuru, a very comprehensive file, is currently over 1M in size, when expanded and installed.
Loading the file takes significant CPU power, if not configured properly. If the DNS Client service is running on your computer, and you make any change to Hosts, your system could be unusable for 10 to 16 minutes.
To be effective, the file must be kept up to date. The bad guys are constantly creating new domains, and subdomains.
It will only block access by website name. Neither of the following will work:

127.0.0.1 209.62.176.181
209.62.176.181 127.0.0.1

Check Your Hosts File VERY Carefully

The bad guys have been using entries in YOUR Hosts file, to block you from accessing the websites that can protect YOU, for quite a while now. So instructing you to examine your Hosts file, for entries like:

127.0.0.1 www.symantec.com

is nothing new. This entry, if present in your Hosts file, will block you from getting access to the Symantec servers, including online help, and LiveUpdate. It's one of the earliest hijacks used by the bad guys.

Anyway, I just copied the above example line from this example Hijacked Hosts file. Go there, and see if you can find the example.

"No", you mighht answer. "The only non-comment line is:

127.0.0.1 localhost".

But, you would be wrong. Look again, but look more carefully.

The first line there (other than a lot of comments), and the only non-comment line in an otherwise empty file, will APPEAR to be "127.0.0.1 localhost".
Scroll to the end of the file, by hitting Ctrl-End.
Scroll back up to the top, page by page, looking for any unrecognised entries, possibly placed there by malware.
Look out for blank lines at the beginning and end of the file, after "localhost", placed there by an exploit.
Do not assume that a file is empty simply because you see "localhost" followed by 50 blank lines!
Do not assume that a file is empty simply because you see 50 blank lines anywhere!

Now aware of this devious, and o so simple, mechanism that the bad guys can use, check YOUR Hosts file. To clean your Hosts file, if anything of interest is found, and assuming NO valid entries other than "127.0.0.1 localhost", simply:

Place the cursor at the end of the "127.0.0.1 localhost" line.
Hold down "Ctrl" and "Shift", and hit "End".
With everything after "127.0.0.1 localhost" highlighted, hit "Delete".
Save Hosts, as name "Hosts." (note the "."!), as type "All Files".

If you find that you have valid entries other than "127.0.0.1 localhost", which you need to retain, be aware of this hijack, and edit the file very carefully.

An Example Of A Hijacked Hosts File

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host
name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

(EOF)

Windows Networking

Windows Networking is the suite of programs that provide file and printer sharing between computers running Microsoft Windows (and compatible Network Operating Systems, such as Linux). If you reference the OSI Network Model, Windows Networking runs at the Application level. It uses Server Message Blocks over the lower network layers, such as Ethernet or WiFi, for connectivity.

By default, Windows Networking uses SMBs over NetBIOS Over TCP/IP (NetBT), and TCP/IP, for logical connectivity. It can be customised to use alternate transports, like IPX/SPX or NetBEUI, if you're prepared to deal with the support issues. On a large LAN with a dedicated DNS server for local name resolution, it can use SMBs directly bound to ("hosted on") Internet Protocol.

Whatever transport that you choose, though, all computers need to use the same one.

There are five concepts, which you need to understand, to deal with Windows Networking problems.

Grouping of computers in a domain or workgroup.
Resolution How do I address each resource?
Browsing What resources are there for me to access?
Authentication / Authorisation Who am I, and should I be allowed to access a resource?
The Total Picture How do Group Memberships, Browsing, Name Resolution, and Authentication / Authorisation affect me?

Domains / Workgroups
Computers are grouped in domains or workgroups, with membership in either grouping providing benefits.

We can browse My Network Places (known sometimes as "Network Neighborhood"), and see all nearby computers. The workgroup that we are in is the part of My Network Places that is nearest to us - those are the computers that we need access to the most. A workgroup provides a way of identifying the computers that relate closely to our computer.

A domain, on the other hand, is a collection of computers that trust each other. When your computer is joined to a domain, it sets up a two way trust, where the computer and the domain are trained to trust each other.

You authenticate (login as a local administrator) to your computer.
You allow a domain administrator to authenticate to the domain from your computer.
Your computer learns to trust the domain. A "certificate" from the domain is added to your computer.
The domain learns to trust your computer. A "certificate" from your computer is added to the domain.

The domain membership also gives workgroup visibility. You see the other members of "your" domain. as you would see the other members of "your" workgroup. But the two way trust in the domain is special.

You gain access to your computer thru domain authentication - you trust the domain, based upon the certificate from the domain that's now on your computer, and upon the credentials (domain account / password) that you supply.
You gain access to domain resources in a similar way, from the certificate from your computer that's now in the domain, and from the credentials that you supply.
Other people in your work area, and presumably in your domain, can potentially access your computer, as you access theirs.
For an allegorical description of two factor (certificate / credential) authentication, see Designing an Authentication System....

Most small LANs will use workgroups, although small domains are worthwhile. Domain membership provides two components - Authentication / Authorisation, and Browsing. Workgroup membership provides one component - Browsing. Workgroup membership provides no authentication / authorisation; that must be provided by redundant accounts setup on both the client and the server.

Outside of becoming invisible in Network Neighborhood, by changing your domain / workgroup membership, you are not adding to your security at all. Becoming invisible is simply a form of Security By Obscurity. If you're on a network with untrustable computers or people, making yourself invisible won't protect you; you need Layered Protection, including a perimeter and / or personal firewall.

>> Top

Name To Address Resolution
You might call the computer in your kitchen "Kitchen Computer", but it's a safe bet that your equipment will call it something more definitive, like "192.168.0.101" (an IP address), or "06-04-7A-D7-EF-BA" (a MAC address). The IP address, and the MAC address, are used by the various operating systems and network devices, to send message from computer to computer.

The process of translating a name like "Kitchen Computer" to an IP address like "192.168.0.101" is called name resolution. Name resolution is provided independently of domain / workgroup membership. A domain may contain a DNS or WINS server, but that's not a given. Less likely, but still possibly, a workgroup may contain either. Without a name resolution server, all computers use peer-peer name resolution. Please don't confuse peer-peer resolution with Node Type "Peer-Peer", which is just the opposite.

If your network (domain or workgroup) is setup properly, but does not contain a DNS or WINS server, all computers will use peer-peer broadcasts to resolve names. Using IP addresses to refer to computers should not be necessary, except in extreme situations. And, if you're using an alternate protocol, an IP address won't work at all.

>> Top

Browsing
Each domain / workgroup uses a browser server to tell it what resources are out there. For every domain / workgroup on a network, there should be at least one browser server in that domain / workgroup.

You can have computers in a workgroup, sharing a network with a domain. If a workgroup has its own browser server, the computers in the workgroup can see each other, and can see the computers in the adjoining domain.

If a workgroup has no browser server, its members will still be able to see each other, and the computers in the domain, if you make the workgroup name identical to the domain name. If you have a computer that's not a domain member, AND you give that computer a workgroup name identical to the domain name, the browser servers in the domain will provide visibility between that computer and the computers in the domain.

In order for browsing to work properly, several essential relationships have to exist between the various computers on the LAN in question.

Does your domain / workgroup occupy multiple subnets? If so, you need to know about Browsing Across Subnets. Do you maybe have two (or more) routers, but would prefer to have one subnet? If so, then read about File Sharing On A LAN With Two Routers.

>> Top

The Total Picture
Browsing is, arguably, not essential in a small LAN. Without the use of a browser server, a common workaround is to make an adhoc mapping to a share.

Hit the Start button.
Hit the Run button.
Type "\\OtherComputerName" (substituting the Other Computer Name, and less the ""), and hit Enter.

Or, you may make a persistent mapping from Windows Explorer.

Select Tools, then Map Network Drive, from the Windows Explorer menu.
Substitute the Server, and Share, into "\\Server\Share" as entered into the Folder: box.
Select "Reconnect at logon", if desired.
Select the Finish button.

Name resolution is not essential either. Without the use of name resolution, you can map a resource by substituting the ip address of the server for the name (again, if you're using NetBIOS Over TCP/IP as the transport).

Hit the Start button.
Hit the Run button.
Type "\\OtherComputerIPAddress" (substituting the Other Computer IP Address, and again less the ""), and hit Enter.

But, when you use Network Neighborhood (My Network Places) to provide a neat list of all the shared folders and printers on your network, you select and double click on a share, and you get a connection, you are using, in turn,

If you're having a problem with Network Neighborhood:

Network Neighborhood is empty, or lacks an entry for one or more computers that you know are there.
Computer A shows in Network Neighborhood for Computer B, but Computer B doesn't show in Network Neighborhood for Computer A.
You get an error "(Workgroup) is not accessible..." when opening Network Neighborhood.
You get a variant (and there are many variants here) of "not accessible / name not found ... access denied" when clicking on an entry in Network Neighborhood.

then you likely have a problem with either browsing, or name resolution. Diagnose Windows Networking first. If, and only if, you can't find any problems with Windows Networking, look at File Sharing. Whenever working on problems with Windows Networking, work from the bottom up.

You may also benefit from reading about Server Message Blocks, and Windows Networking.
>> Top

Authentication and Authorisation
Whether or not you do use the browser to list resources, and / or name resolution to locate the resources, you will still have to setup authentication and authorisation properly, if you wish to actually connect to, access, and change those resources. You can avoid use of the browser, and of name resolution; you cannot avoid authentication and authorisation.

>> Top

Local Name and Address Resolution On Your Computer

Hosts and LMHosts are local, fixed name resolution caches on your computer, invented before the concept of DNS. Their contents may cause the computer to bypass use of dynamic name resolution techniques like querying DNS, name broadcast, and / or WINS.

If your computer is attempting to resolve the name of a computer, and there's an entry in either Hosts (if DNS resolution is being used), or in LMHosts (if NetBIOS aka WINS resolution is being used) that matches the target name, resolution will stop there.

The Hosts (and similarly the LMHosts) file contains entries of the form:

nnn.nnn.nnn.nnn hostname

The first entry in Hosts, for instance, should be:

127.0.0.1 localhost

This entry is called the loopback address. It lets you reference the computer itself, from itself, without using any network hardware or software. The loopback address is an essential component in layered testing. It is referenced in a diagnostic sequence, for instance:

Ping 127.0.0.1.
Ping the computer by IP address.
Ping the computer by name.

There may be additional entries in Hosts. Some entries may be intentional, others may have been added without your knowlege. Know and understand the difference.

You may intentionally override dynamic resolution to create an alias to a server.
Malware has been known to hijack the Hosts file. This practice predates pharming, and has the same effect.
Many security strategies use the Hosts file to block access to known malicious websites.

Hosts and LMHosts are generally found in "%SystemRoot%\System32\drivers\etc". When in doubt, though, it's best to verify the registry entry which points to that location, as some malware may change the registry entry. Examine the value of registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath], and make sure its value is as stated above. Any other value may point to a Hosts file hijack.

See TCP/IP and NBT configuration parameters for Windows XP for further information.

Whether or not you find your Hosts file hijacked in a registry setting, check the content of your Hosts file very carefully.

Both Hosts and LMHosts are simple text files, so you may view and/or edit either using Notepad. But view and edit them carefully; errors can have unpredictable results. Saving changes is tricky; you should save Hosts, for instance, as "Hosts." (note the period after "Hosts"), as type "All Files".

The Mysterious "Error = 53" aka "Name Not Found"

Next to an "error = 5" ("access denied"), I don't know of too many diagnostic messages that can cause so much confusion or uncertainty in the heart of your desktop / network support tech.

An error = 53 ("0x80070035" in Windows Vista) message comes in a number of circumstances.

In a "browstat status" log.
In a ping output.
In a Network Neighborhood display.

The literal meaning of "name not found" is "I can't resolve the name of this host to an address". There are a number of possible reasons for this.

One of the most obvious is lack of physical connectivity between you (this host), and the target. Maybe that host doesn't even exist. How many times have you mistyped the name of a host that you're pinging? I've done that a few times.

I've been working with Windows Networking, and browser issues, for several years. I've come to associate "error = 53" ("name resolution") problems with several possible causes that don't come from either CKI or hardware faults.

Corrupted LSP / Winsock.
Firewall problem.
Registry settings.
Invalid node type.
Network components and services not started, or missing.
Excessive protocols.

The first three are identified only from experimentation. A corrupted LSP / Winsock is only diagnosed after its been fixed. Many times, you try everything, and I mean everything, to fix a problem. Sometimes you spend days, then somebody says "Try LSP-Fix". You run it, and that's the solution. But there are 5 possible solutions for the corrupted LSP / Winsock - LSP-Fix is just one of the 5, and not all 5 work every time.

A firewall problem you only identify after you disable a personal firewall (assuming it disables successfully, which does happen about 1/2 the time). The other half, you go thru the bit with everything else, and even try LSP-Fix and its siblings, to no avail. Then someone discovers a misconfigured or overlooked firewall, and the light goes on in your head. You un install a personal firewall, and your problems are gone.

Registry settings, which are designed for security, can cause many problems, including interfering with name resolution. Here the oddly ubiquitous restrictanonymous setting has been observed to cause problems.

Run "ipconfig /all". The value of Node Type will tell you if you have a problem. If the Node Type is "Peer-Peer", and you're on a small LAN (ie no DNS or WINS server), Peer-Peer won't work, though any other setting will, though with varying success.

Also in the log from "ipconfig /all", if you saw the line

NetBIOS over Tcpip. . . . . . . . : Disabled

you would hopefully know to correct that. But even if that line does not show, NetBT might not be enabled, and that will cause this symptom, "error = 53". Please, explicitly Enable NetBT, except for specific network conditions.

An "Error = 53", when referring to the master browser in a browstat log, can be caused by the Remote Registry Service not running on the master browser. Running a server with XP Home, as the master browser, is a bad idea - XP Home does not have the Remote Registry Service, as it does not provide for any administrative access thru the network.

Finally, if you spot IPX/SPX or NetBEUI protocols in a "browstat status" log, or IPV6 aka Advanced or Teredo Tunneling in an "ipconfig /all" log, you'll need to un install that - at least to diagnose the problem. Having unnecessary protocols will hamper name resolution. Name resolution is generally by broadcast - the computer sends out a message to all computers, thru all transports bound to that computer, asking what address the target computer is using. The computer has to wait for each transport to timeout, when no response is received, before trying the next transport, on each query.

Microsoft Unable to Reach a Host or NetBIOS Name discusses other possibilities.

>> Top

Reading IPConfig and Diagnosing Network Problems

Both Internet Service and Windows Networking rely upon the Internet Protocol being properly configured. The IPConfig utility tells us the various settings on any computer using Internet Protocol. This is a good place to start, when diagnosing any networking problem.

Please note that the examples shown here are from a computer setup in a workgroup, which is almost identical to a domain. There is one major difference for a domain; the DNS server entry, for a computer in a domain, should point to the IP address of the domain controller, as indicated in Windows XP / 2000 On A Domain.

This is a problem, as the ipconfig listing will not give a clue as to where the domain controller points (forwards its DNS queries). If you have DNS problems, in a computer on a domain, ipconfig will not help diagnose any such.

A Normal IPConfig
A Bridge
IPV6
A Hardware Firewall
Command not recognised

To get ipconfig data for immediate examination, simply type "ipconfig /all" into a command window (or a command window in Windows Vista). Only type the command itself into a command window - do not type Start - Run - "ipconfig /all...".

If you want the data so it is easily compared between computers, you need to export the data into a text file.

Type "ipconfig /all >c:\ipconfig.txt" (less the "") into a command window (or a command window in Windows Vista).
Then,
- Type "notepad c:\ipconfig.txt" (less the "") into the same command window, for immediate examination.
- Or, copy file c:\ipconfig.txt to another computer, for comparative examination.

A Normal IPConfig

Here's an example of IPConfig ("ipconfig /all") from a pair of computers on a LAN.


Windows IP Configuration
        Host Name . . . . . . . . . . . . : PChuck1
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Broadcast
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : pchuck.net
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . : 00-04-76-D7-C5-6A
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12

Windows IP Configuration
        Host Name . . . . . . . . . . . . : PChuck2
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : pchuck.net
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . : 00-04-76-D7-76-BC
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.51
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        Primary WINS Server . . . . . . . : 192.168.1.1
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:53:45
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:53:45

What does this tell us?


        Host Name . . . . . . . . . . . . : PChuck1

This is the name of the computer, as seen by Internet Protocol.


        Primary Dns Suffix  . . . . . . . : 
        DNS Suffix Search List. . . . . . : pchuck.net

Most small LANs don't have a DNS server setup, so you probably won't use DNS for name resolution. If you do have a DNS server (not the one which your ISP provides, either), you should setup both DHCP and DNS carefully.


        Node Type . . . . . . . . . . . . : Broadcast

The Node Type tells us how this computer identifies the address of another computer on the LAN. Broadcast is the best setting for a small LAN, although anything but Peer-Peer will work. If you do not have a WINS server, and you see Peer-Peer here, you do have a problem.

If you have a LAN with its own DNS server, you will want to setup your LAN, and the DNS server, properly.


        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes

If DHCP is enabled, this computer should get it's IP settings from a DHCP server (either a NAT router / ICS Host, or a dedicated server running the DHCP service).

If Autoconfiguration is enabled, this computer did get its IP settings from a DHCP server. If DHCP is enabled, but Autoconfiguration is not enabled, a DHCP server was not available. If the latter, it is very likely that the computer now has an APIPA address, and may display the message "limited or no connectivity".


        Physical Address. . . . . . . . . : 00-04-76-D7-C5-6A
        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        Primary WINS Server . . . . . . . : 192.168.1.1

These are the most basic settings. You must get the addressing right, before the other components will be of much use.

The Physical Address is the MAC address for this network card. If this is the Vendor Assigned address, it is unique for this device. All Vendor Assigned addresses are unique, for every device in the world. If this is a User Defined address, it was set using tools provided by the vendor. For NT compliant network hardware, this was likely the device properties wizard, accessed from Local Area Connection Properties in Network Connections.

The IP Address for each computer must be unique. Taking the IP Address and the Subnet Mask, and subnetting the IP address, we see that this subnet is 192.168.1.0/24, and the Host Address is 50. On any LAN segment, all hosts (computers) must have the same subnet, and all computers must have a different host address.

While the Subnet and Host addresses together determine which computers on a LAN can communicate, the Default Gateway determines if the computer can communicate with any hosts outside the subnet. The Default Gateway must be the IP address of another host, on that same subnet, that also connects outside the LAN. With no default gateway value, or with an invalid IP address here, your computer won't have access outside the LAN.

If the IP address is 169.254.x.x, you have an APIPA address. Having one or more computers with APIPA addresses - 169.254.0.0/16 (169.254.0.0 / 255.255.0.0) could have various causes.

If you're connecting 2 computers directly, using a cross-over cable, then the APIPA addresses are perfectly normal.

If you're connecting a computer to an ICS server, or to a NAT router, and it's getting a 169.254.x.x address, then either you have a physical network problem, or the DHCP server (ICS server) is disabled.

If your network connection is WiFi, and you're seeing "Connected to XXXXXXX ... Connection quality zzzzz ...", you simply have a radio connection. Your WiFi client has to supply the right credentials (WEP, WPA, ...) before you actually get an IP address.

Note here that most of my advice is about using your computer on your network, or at least on a trusted network. If you're connecting your computer to an unknown or untrusted network, exercise common sense. If you're connecting thru WiFi, your connection isn't working, yet you are not seeing an APIPA address, you could be connecting to a honey pot.

The DHCP Server identifies the network device that issued the IP settings to this computer. If you have two computers which can't communicate, and they have incompatible IP settings, checking the DHCP Server might show settings from two different DHCP servers.

There are two possible reasons for having two different DHCP servers.

If you're paying your ISP for two ip addresses, you may be getting two addresses on different subnets, which is a perfectly expectable situation for cable broadband. The solution for this may be to not use IP on your LAN.
You also might have an unknown (rogue) DHCP server on your LAN. In that case, knowing the IP addresses of both servers should help you identify each server.

The Physical Address, IP Address, Subnet Mask, and Default Gateway are settings which describe how this computer connects to the network. DNS Servers, on the other hand, provide the ability to resolve the IP address of another computer on the network.

WINS is a legacy Microsoft name resolution protocol, used with Windows NT V4.0, and Windows 2000 (aka Windows NT V5.0). With Windows XP (aka Windows NT V5.1), Microsoft elected to use DNS, as the rest of the world has been doing for a while. But we still have the possibility to use WINS built in to Windows XP.

If your host configuration specifies a WINS server, you better have one. If a WINS server is configured, and WINS is queried, Windows XP will wait for a query against it to timeout. Depending upon the value of Node Type, you will have various problems.

If Node Type is Broadcast, the WINS entry will be ignored.
If Node Type is Hybrid, name resolution by Broadcast will be tried only AFTER WINS resolution is tried and times out. This will significantly increase latency in many file sharing processes.
If Node Type is Mixed, name resolution by Broadcast will be tried first. If the requested computer does not respond to a Broadcast (maybe you typed in the name wrong), name resolution will try WINS next. The WINS query will have to timeout before reporting "name not found" aka "Error = 53".
If Node Type is Peer-Peer, only the WINS server will be tried. This is a common problem on small LANS.
If Node Type is Unknown, it will be treated as Hybrid.

Note that any or all of the above settings can come from automatic configuration (the Network Setup Wizard), or manual configuration (the TCP/IP Properties wizard).

A Bridge

When you run the Network Setup Wizard, you may end up with a bridge. Bridges cause problems with file sharing, and with Internet service sharing. You can get a bridge from having any of the following:

Two network cards, connected to two different subnets.
Dialup Internet service, with a modem and a network card.
PPPoE Internet service, with a PPPoE modem and a network card.
One network card and a 1394 Firewire device.


Windows IP Configuration
        Host Name . . . . . . . . . . . . : MyComputer
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : Yes
        WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Network Bridge (Network Bridge):
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : MAC Bridge Miniport
        Physical Address. . . . . . . . . : 02-2F-CC-91-84-FF
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.0.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

If you don't intentionally want a bridge, get rid of it. If you need a bridge, please refer to Steve Winograd PracticallyNetworked XP ICS - Network Bridge.

You can avoid ending up with a bridge, if you follow the advice from Microsoft How to prevent the Network Setup Wizard from creating a bridge in Windows XP.

IPV6
When you run the Network Setup Wizard, you may end up with IPV6, aka Automatic Tunneling, aka Teredo Tunneling.


Windows IP Configuration
        Host Name . . . . . . . . . . . . : PChuck1
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Broadcast
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : myhome.net
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX)
        Physical Address. . . . . . . . . : 00-04-76-D7-E2-BA
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 10.201.99.11
                                            10.201.99.33
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12
Tunnel adapter Automatic Tunneling Pseudo-Interface:
        Connection-specific DNS Suffix  . : 
        Description . . . . . . . . . . . : Automatic Tunneling Pseudo-Interface
        Physical Address. . . . . . . . . : C0-A8-00-03
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.50%2
        Default Gateway . . . . . . . . . : 
        DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                            fec0:0:0:ffff::2%1
                                            fec0:0:0:ffff::3%1
        NetBIOS over Tcpip. . . . . . . . : Disabled

The presence of IPV6, aka Automatic / Teredo Tunneling, may hamper the diagnosis of your problems. Please remove IPV6 while we are working on your problems; if you truly need it, you can re install it later. You must remove IPV6.

A Hardware Firewall

This may become a common observance in the future.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nforce Networking Controller

This is a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.

IPConfig Command not recognised

And here's an odd result. You type "ipconfig", and get

'ipconfig' is not recognized as an internal or external command, operable program or batch file.

In this case, you have still more work to do. There are several possibilities.

Check the Path. The entry ";%systemroot%\system32" may be missing.
You may need to reload TCP/IP (if this is not Windows XP), or reset TCP/IP (if this is Windows XP).

>> Top

Your Personal Firewall Can Either Help or Hinder You

One of the key elements in a layered defense strategy is a personal firewall on each computer. You need to protect each computer on your LAN from hostile Internet traffic, and sometimes, from hostile traffic coming from other computers on your LAN.

Unfortunately, if you don't setup your personal firewall properly, you can have problems.

A misconfigured or misbehaving personal firewall on one or more computers on your LAN can block access to the server, whether local (on your LAN) or remote (on the Internet), that you need to access. If your problems remain even after you configure your personal firewall, then you will need to try deactivating it, or un installing it.

Deactivating a firewall isn't always an effective solution. Many personal firewalls do not react well to being deactivated - you have to either configure them properly, or un install them. Un installation, depending upon the brand, may require intensive work, and may involve more than running a simple script from Control Panel or All Programs - (Name Of Firewall Product).

Once you deactivate or un install the firewall, you are unprotected. If you must deactivate or un install your firewall, only do this temporarily. If you're connected directly to the Internet (which is simply not a recommended setup, even with a personal firewall on the computer), disconnect from the Internet BEFORE doing this. After you get things working, then re install, reactivate, and configure a firewall on each computer, before reconnecting.

Configuring a personal firewall, to enable access to the desired services, may involve changing one or more settings. Please spend some time reading the documentation for the firewall in question. After reading the documentation, check the appropriate settings. For Windows Firewall, see Windows Firewall and Windows Networking.

Select the appropriate Protection ("paranoia") level.

Make sure that exceptions are permitted.

Select a preset exception or rule.

Configure the Trusted Zone. Be sure that the router, the DHCP and DNS servers (if separate), and the other computers on the LAN, are all Trusted. Get this wrong, and you could have various symptoms.
- Not all computers might be visible in Network Neighbourhood.
- Other computers might be visible, but in the "Internet Zone".
- Other computers might be visible, but attempting to access some will result in the much feared "Access Denied".
- Attempting to access any computer, local or Internet, may return the equally disliked "Name not found" or similar error.

Open the appropriate ports.

Please don't make the mistake of running two or more personal firewalls. Running more than one firewall will not add protection, it will just cause confusion and system malfunctions. If you're going to run a third party firewall, you must chose one and only one. Make sure that you're aware of all software products on your computer, that could act as a personal firewall.

Do you have an antivirus product (and if not, get one immediately!)? Some antivirus products come bundled with personal firewalls. F-Secure Internet Security, McAfee Internet SecuritySuite, and Norton Internet Security, for example, each contain both antivirus and personal firewalls (F-Secure Personal Firewall, McAfee Personal Firewall and Norton Personal Firewall, respectively). A newly installed Microsoft (KB923157): Windows Live OneCare may be an issue here.

Even if your antivirus is NOT part of a bundle, it may have a component that acts like a firewall. Some antitrojan, antivirus, and antiworm products can install components that cause these problems. As every security package struggles to keep up with the bad guys, and with competing products, features are constantly being added. Examine any antitrojan / antivirus / antiworm product with suspicion, when researching any otherwise unexplained network problem.
- Read the manual / owners guide for your security product.
- Google / Yahoo for your security product name / version. See if there are any reported similar problems.

Recent changes to Internet Explorer (likely the September 2007 security updates) have caused changes in the My Network Places (Network in Windows Vista) display, and possibly access problems.

The Microsoft AntiVirus / Personal Firewall bundle, Windows OneCare, doesn't operate as seamlessly as Windows Firewall, under Windows Vista. You may have to check the NetBT setting, or open some ports manually, to get Windows Networking to work with OneCare under Vista.

Server Message Blocks, or SMBs, are the lifeblood of Windows Networking. Make sure that all firewalls are setup to pass SMBs properly - whether you're using SMBs directly hosted on IP, or SMBs hosted on NetBIOS Over TCP.

Do you have a VPN endpoint on the computer? Many VPN endpoints are bundled with personal firewalls.

What network card do you have? Does it have an nVidia chipset? The nVidia nForce is probably the first, but surely not the last, device of this type.

Is a NAT router in the center of your LAN?
- Most NAT routers use only a switch, connecting the LAN ports. But look carefully for a "DMZ", "Isolation Mode", "Virtual Server", or "VLAN" setting - either on a single port, or affecting the entire LAN. These options are becoming more popular on NAT routers which emphasise sharing Internet access, and make peer-peer connectivity optional.
- Did you just change to a different NAT router? If the router changed recently, check the subnet that it creates. If the subnet has changed, all computers on the subnet, with firewalls or other security components that assign trust by IP address, may have to be updated to reflect the new subnet.

Don't get surprised, and waste a lot of time looking for a solution that may be right under your nose - check for a bundled firewall first.

If you're going to run a third party firewall, you must disable Windows Firewall, but only from the appropriate Control Panel applet - do not make the mistake of stopping the Windows Firewall service. The Windows Firewall service breaks several network services, if it is stopped.

Stop Windows Firewall from either the Security Center, or the Windows Firewall, applet. Settings - Control Panel, then either:

Security Center, and select Firewall Off.
Windows Firewall, and select Off.

Please leave the Windows Firewall / Internet Connection Sharing (ICS) service Started and Automatic, at all times. See Microsoft Threats and Countermeasures Guide: Chapter 7 for more information. Also, see (KB889320): When you disable the Windows Firewall service... for a problem acknowledged by Microsoft with a Hotfix.

On the other hand, if you decide to un install your newly discovered third party firewall, please read and observe precautions.

>> Top

Address Resolution on the LAN

On a small LAN, with no DNS or WINS server, you'll use NetBIOS Over TCP for local name resolution. NetBT based name to address resolution is a pretty complex process, and a rather common cause of problems in Windows Networking.

To identify a possible problem on your LAN, start by running "ipconfig /all" in a command window, or in a Windows Vista command window. The value of NodeType will tell you if you have a problem with network based resolution. Remember to allow for local resolution too.

You might see output similar to this:


Windows IP Configuration

        Host Name . . . . . . . . . . . . : MyComputer
        Primary Dns Suffix  . . . . . . . : 
        Node Type . . . . . . . . . . . . : Broadcast

You might see any of 5 values for Node Type, and the various values will have varying effects on address resolution.

Broadcast
Hybrid
Mixed
Peer-Peer
Unknown
Changing Node Type
The Total Picture

>> Top

Broadcast Node Type
For a small LAN with no name server, Broadcast, or B-node, makes the most sense. Broadcast simply resolves by broadcasting an address query to all computers on the subnet, then responds promptly with "name not found" if no response is received from the broadcast.

Note that Broadcast, and the variants of Broadcast (Hybrid / Mixed), depend upon packets broadcast over NetBIOS Over TCP (NetBT). Make sure that your DHCP server, if you have one, is setup to enable NetBT. If you're on a small LAN with a NAT router providing DHCP, make sure that NetBT is explictly Enabled on each computer, and make sure that all personal firewalls are properly configured for NetBT. Without NetBT, you'll need a DNS server, for name resolution.

Also note that the effect of NetBT Broadcast name resolution is much more pronounced on a large LAN with slow network speed, or with congestion. In a small LAN, with modern, high-speed components, the effects of NetBT broadcast will be minimal. For most small LANs, NetBT Broadcast is a perfectly acceptable method of name resolution.

>> Top

Hybrid Node Type
Node type Hybrid, or H-node, will work on a small LAN, but it may cause response issues. Hybrid queries the name server first, using directed NetBT, not broadcast NetBT. If there is no name server, the computer has to wait for the name server query to time out, before trying to resolve by Broadcast.

>> Top

Mixed Node Type
Node type Mixed, or M-node, will work on a small LAN, but it may cause response issues when trying to resolve invalid names. Mixed tries Broadcast first, then queries the name server if no response is received to the broadcast. If a computer with the desired name does not exist, the computer has to wait for the name server query to time out before responding with an error 53, "name not found".

>> Top

Peer-Peer Node Type
Node type "Peer-Peer", more appropriately called "Point-Point", is a problem on most small LANs. That means MyComputer requires a WINS server to resolve names. No WINS server means no name resolution, no access to its shared resources, and the dreaded "Name Not Found" error (among various symptoms).

Microsoft has documented (KB903267): a fix for this. You'll need to run the Registry Editor on MyComputer. You need to find the key [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \NetBT \Parameters], and delete these two values (which ever is there):

NodeType
DhcpNodeType

After restarting the computer, rerun IPConfig and examine the results.

>> Top

Unknown Node Type
An Unknown node type, if a WINS server is configured, will be treated as Hybrid. If you actually have a WINS server, then fine. If not, this could cause name resolution latency.

On a small LAN, with no WINS configuration, Node Type Unknown should not be a problem - Unknown will be treated as Broadcast. However, Microsoft has documented (KB310570): a fix for this, if seeing "Unknown" bothers you.

To resolve this issue, use Registry Editor (Regedit.exe) to locate the following key in the registry:
HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Netbt \Parameters
Change the value of the EnableProxy value in the preceding registry key to 0 or 1, quit Registry Editor, and then restart your computer.

The above fix simply says to change the value specified. Some people discover that their system has no registry entry for that value. If that's the situation you find yourself in, simply add a REG_DWORD value of that name, with value "0". Apparently, changing (or adding) that value forces the system to recalculate the correct value of NodeType.

>> Top

Changing The Node Type

There's no GUI applet to change Node Type. You'll have to use the Registry Editor, and change value [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \NetBT \Parameters \DHCPNodeType], or [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \NetBT \Parameters \NodeType] (which ever is there), or add [HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \NetBT \Parameters \NodeType].


Value  Node Type
  1    Broadcast.
  2    Peer-Peer.
  4    Mixed.
  8    Hybrid.

>> Top

The Total Picture

Microsoft, in Microsoft Windows NT Browser: Microsoft TCP/IP and Name Resolution, summarises the sequence of events involved in NetBT based name resolution.

(Click on either of the above 2 images for a larger view).

For more information, see:

Microsoft: (KB160177): Default Node Type.
Microsoft: Enterprise Design for WINS.
Microsoft: Integrating DNS with WINS.
Microsoft: (KB310570): "Ipconfig /All" Command Shows the Node Type as Unknown.
Microsoft: Microsoft Windows NT Browser: Microsoft TCP/IP and Name Resolution.
Microsoft: (KB314053): TCP/IP and NBT configuration parameters for Windows XP.
Microsoft: TechNet: Name Resolution Technologies.
PChuck: The DNS Server Settings On Your Computer.

>> Top

PChuck's Network

Advanced Windows Networking Using Internet Protocol

Bad Websites? Don't Go There

NetBIOS Over TCP/IP

The DNS Server Settings On Your Computer

Using A Hosts File For Security

Check Your Hosts File VERY Carefully

An Example Of A Hijacked Hosts File

Windows Networking

Local Name and Address Resolution On Your Computer

The Mysterious "Error = 53" aka "Name Not Found"

Reading IPConfig and Diagnosing Network Problems

Your Personal Firewall Can Either Help or Hinder You

Address Resolution on the LAN

Search Me (Direct)

Search Me (Custom)

Contact Me

Follow Me

Articles By Topic

Subscribe To Me

Us

In Martinez, California, it is...

Useful

Articles By Category

Links

Contents (Click on the black arrows)

Network / Security News