We have one workstation which sends out 40 LLMNR packets every 30 seconds (marked "Standard query A") It's been checked every way possible for malware and rootkits, I feel pretty confident that it's clean. But what gives? None of the other machines on our network broadcast anywhere near this much. Or am I obsessing over nothing? -Roger asked 11 Oct '12, 11:36  Shrubber |
2 Answers:
Please take a look at the following question and my answer
Those queries could well be generated by a feature of the chrome browser. It does random name lookups for some purpose. What do the LLMNR queries look like in your network? Are they for random names? If so, please check if Chrome is running on that system. If so, close the browser and the check if the LLMNR queries stop. If the name queries are not random (and Chrome is not used), can you please post a sample capture of the queries somewhere (cloudshark.org)? Regards answered 13 Oct '12, 01:46  Kurt Knochner ♦ |
Random name lookups(DNS/NBNS/LLMNR) related to Chrome can occur when using a proxy auto-config script on your network. Changing the proxy settings to disable automatic configuration is one way to test/workaround that behavior. Chrome does random, 10 character name lookups on startup in an effort to prevent nefarious activities of some ISP's. However, if the PAC script has an error Chrome will re-rerun it... repeatedly. Subsequently any name lookups in the script would be called until Chrome is shutdown. The fix is already in the first release channel. A few random lookups during the first page load are normal though. https://tools.google.com/dlpage/chromesxs -Todd answered 15 Nov '12, 12:51  Tenu1000 |
You mean LLMNR query? If so, does the workstation get a response?
Yes, Standard query A, The workstation being queried is online, but I haven't seen any responses. Both systems are working Windows 7 pro workstations. There are files being shared, which works fine regardless. Thinking of turning off LLMNR completely on both workstations..
At some point i had these LLMNR 10-random-character multicasts flooding the network with a rate of 30 packets per second, all coming from one workstation.