Win32 gethostbyaddr() does NetBIOS query?

[Richard Sharpe]

At 04:21 PM 10/2/98 +1000, crh at NTS.Umn.EDU wrote:
>On a different mailing list, the suggestion was posted that the Windows
>version of gethostbyaddr() will send a NetBIOS query to the address to try
>and get the NetBIOS name before doing a DNS lookup.  A few folks have
>written in to support this claim with empirical evidence (no sniffer
>traces yet, I'm 'fraid). 
>
>This seems really wrong to me.  (They'd *never* do that, would they?)

It seemed wrong to me as well, but I have seen the evidence in traces.

Win95 looks in the hosts file and the lmhosts files first, and then does a
WINS lookup if WINS is configured, and then does DNS.

If you try a name that is longer than 15 characters, it omits the WINS step.

So, if you try 'ping fred.my.domain', you will find that a WINS lookup goes
out on the wire first, then a DNS request, but if you try 'ping
fred12.my.domain' no WINS request goes out.

>There is evidence at our border, however, which suggests differently.  We
>filter out all inbound NetBIOS traffic.  99% of the NetBIOS-related
>packets that we drop are for UDP/137.  We are trying to get a better
>understanding of what this means.  How much is malicious, how much is
>reckless cluelessness, and how much is Microsoft. 
>
>Does anyone know anything about this?

See above :-) I have a whole hands-on session on it in my TCP/IP course.

>Chris -)-----
>
>-- 
>Christopher R. Hertel -)-----                   University of Minnesota
>crh at nts.umn.edu              Networking and Telecommunications Services
>

Regards
-------
Richard Sharpe, sharpe at ns.aus.com, NIC-Handle:RJS96
NS Computer Software and Services P/L, 
Ph: +61-8-8281-0063, FAX: +61-8-8250-2080, 
Samba, Linux, Apache, Digital UNIX, AIX, Netscape, Stronghold, C, ...