Turn off smart multi-homed name resolution in Windows
Smart multi-homed name resolution is a DNS related feature that Microsoft introduced in Windows 8 and implemented in Windows 10 as well.
The feature is designed to speed up DNS resolution on a device running Windows 8 or newer by sending DNS requests across all available network adapters. Microsoft refined the feature in Windows 10 as it selects the information that is returned the fastest automatically.
While the feature makes sense from a performance point of view, it introduces an issue from a privacy one.
If you connect to a VPN network on a Windows machine for instance, smart multi-homed name resolution may lead to DNS leakage. Since requests are sent out to all network adapters at the same time, all configured DNS servers receive the requests and with them information on the sites that you visit.
Turn off smart multi-homed name resolution in Windows
Microsoft introduced a Registry key and policy to manage the feature in Windows 8.
Registry (Windows 8.x only)
Note: manipulating the Registry may lead to issues if done incorrectly. It is suggested that you create a backup of the Windows Registry before you continue. This can be done by selecting a Registry Hive in the Registry Editor, and then File > Export from the menu bar.
- Open the Windows Registry Editor. One easy option to do that is to tap on the Windows-key, type regedit.exe, and hit the Enter-key. Windows throws an UAC prompt which you need to confirm.
- Go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
- If the Dword value DisableSmartNameResolution exists already, make sure it is set to 1.
- If it does not exist, right-click on DNSClient, and select New > Dword (32-bit) Value from the menu.
- Name it DisableSmartNameResolution.
- Set its value to 1. You may turn the feature back on at any time by setting the value to 0, or by deleting the Dword value.
- Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
- If the Dword value DisableParallelAandAAAAÂ exists already, make sure its value is set to 1.
- If the value does not exist, right-click on Parameters, and select New > Dword (32-bit) Value.
- Name it DisableParallelAandAAAA.
- Set the value of the Dword to 1. You can turn the feature back on by setting the value to 0, or by deleting the value.
I have created a Registry file that makes both changes to the Windows Registry when executed. You can download it with a click on the following link: (Download Removed)
Group Policy (Windows 8 and Windows 10)
The Registry key that worked under Windows 8 does not seem to work under Windows 10 anymore. Windows 10 users and admins may set a policy however to turn the feature off.
Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
Note that the Group Policy Editor is only available in professional editions of Windows 10. Windows 10 Home users may want to check out Policy Plus that introduces policy editing to Home editions of Windows 10.
- Do the following to open the Group Policy Editor in Windows: Tap on the Windows-key on the keyboard, type gpedit.msc, and hit the Enter-key on the keyboard.
- Go to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off smart multi-homed name resolution.
- Set the policy to enabled, to disable the smart multi-homed name resolution feature of the system.
If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
Closing Words
Some DNS clients that you may run on Windows machines come with DNS leak protection to prevent these leaks. OpenDNS users may enable the block-outside-dns option for instance in the client to do so.
Win 10 Home needs a script to get Gpedit available.
None of the following worked:
– Disable the ‘server’ service
– Group policy editor: allow netbt queries for fully qualified domain names = disabled
– Group policy editor: Turn off smart multi-homed name resolution
Correct. NetBIOS DNS requests on port 137 are sent over UDP and this does nothing to stop it. I have a desktop firewall and the alerts just keep coming, every time I open a new web page it wants to make another NetBIOS connection. This is the solution:
_________
Click start, control panel, network connections, double click your NIC, click properties, highlight internet protocol (TCP/IP), properties, advanced, WINS tab, make sure Disable NetBIOS over TCP/IP is checked, click OK.
https://arstechnica.com/civis/viewtopic.php?p=15460842
Martin, I hope you included this in your Windows Privacy Guide. If not, hopefully it will be included in your next edition.
Thanks
Privacy (noun) : the state or condition of being free from being observed or disturbed by other people.
Clearly there’s no privacy when it comes to using the electronic gadgets. We are creating our Digital-Self, pretty much like in that movie called ‘Transcendence’. Things we do, watch, click on… everything bundles up into a valuable data. I don’t think these Tech giants would allow us to be completely free. With your digital footprints, not only the past, present or future can be analyzed, but also your future generations to come; your kids.
The Internet is dark and full of terror…. **goes back to hiding in the closet**
What about multicast name resolution?
Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
Yet another Microsoft “speed before privacy” issue, and moreover only editable via the Registry or the Group Policy (only the latter — moreover#2 — in Windows 10). Happier than ever to have blocked the W10 tsunami, to stick and remain with Windows 7. Until when? Que sera sera …
I ignored this multi-homed name resolution in Windows 8 and 10, good to know.
Preventing circumvention of OpenDNS with firewall rules is fine as long as you don’t switch to another DNS, of course. Would be problematic — extremely inadvisable – on systems (Win8-10) using DNSCrypt.
There is an error in this guide.
“Turn off smart multi-homed name resolution” disables concurrent sending DNS requests over TCP/IP, LLMNR and NetBT, but they will still be sent over all active adapters in the system, just not concurrently but one after another if previous fail.
Thanks for the tip Martin. I had to create the DNSClient key as well as the value, but the system rebooted without any issues afterwards.