What is LLMNR?
Multicast name resolution is a network protocol that provides link-local name resolution if DNS is unable to provide an authoritative response – this could be through name resolution failure (for example. \\server instead of \\server-1), a denial of service attack that floods DNS responses, or that the DNS server is unavailable.
How this works is by allowing the querying system to send out a multicast name resolution query to the local network. If the system (e.g. a server or workstation) is located within the same network, then it will respond with its IP address as part of that name resolution.
Systems will tend to favour DNS, their local Hosts file, or any cached DNS data prior to querying the local network.
LLMNR Poisoning
Attackers exploit the intended purpose of LLMNR by responding with their own name resolution responses that redirect traffic to their attacking systems, instead of the intended resource.
Read our blog on mitigating LLMNR poisoning attacks for more information on how this attack works and the steps to secure your systems.