Results 1 to 13 of 13
  1. #1
    New Lounger
    Join Date
    Oct 2011
    Posts
    14
    Thanks
    0
    Thanked 3 Times in 2 Posts

    Where does the network browser get names of computers and other devices?

    I'm curious where Windows 7's network browser gets the names of the computers and other devices that it lists.

    My wireless ISP uses Canopy equipment. When I open my Windows 7 Network Browser I sometimes see names of computers not on my LAN. When I scan my LAN using SoftPerfect's Network Scanner all I see are the devices I expect. This has nothing to do with my Wi-Fi connection, either.

    I had the same problem with my prior WISP <u>after</u> he gave me a static IP address. Their tech said he experienced this on his home LAN and didn't know what caused it, but he had grown used to it and didn't worry about it.

    I don't have a static IP with my new WISP. My router is simply configured for a Dynamic connection with no login needed.

    I've found similar questions on the Net and all the responders jump on wireless security, etc. I know this is not the problem because I can disable wi-fi and disconnect all other devices in my home and still see these computers (if they happened to be visible). Plus, like I said, my former WISP tech had seen the same phenomenon on his PC when I switched to a static IP address. I think it's a byproduct of being connected to a WAN, and Windows 7 is picking up this info from..., well, that's the question!

  2. #2
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    The names of the devices are the Netbios names of the other hosts. They are discovered by the Microsoft implementation of the name service.

    I would be very skeptical of what the manufacturers PC tech says. Yes, he may have seen it on his home PC - but he may use systems supplied by his employer at a staff discount. If he says it's nothing to worry about, I would seriously consider moving service provider based on poor technical support and suspicions of inadequate security!

    To investigate: Next time this occurs, turn off any WiFi connection from the PC to the modem, then open a command prompt and run nslookup hostname, where hostname is the name of the suspect device. If the device is on your network (has an IP address in the range 192.168.x.x, 172.16.x.x to 172.31.x.x or 10.x.x.x), then there is a problem. Next run an ipconfig /all to verify only your LAN is active. Take a screen grab of both to present to your network provider. Try those commands now on your PC's to see what to expect.

    If there genuinely are additional hosts on your network the modem/router has a significant security hole and the vendor/manufacturer should resolve it asap.

  3. #3
    New Lounger
    Join Date
    Oct 2011
    Posts
    14
    Thanks
    0
    Thanked 3 Times in 2 Posts

    Red face reply to Tinto Tech

    Thank you for replying. At the moment none of the 2 or 3 occasional "stray" devices are appearing on the network so I tried nslookup on another Windows 7 PC on my LAN. I also tried it using the hostname of the laptop I'm working at. In both cases I got identical results:

    C:\Windows\System32>nslookup (computer name)
    Server: router.office
    Address: 192.168.1.1


    Non-authoritative answer:
    Name: (same computer name as above).lan
    Address: 67.nnn.nnn.nnn

    In neither case is it reporting the IP address of the target PC (if indeed it's supposed to). I then used a fictitious computer name after nslookup and got the same result, so either I'm misusing nslookup or its output would appear to be useless.
    Last edited by timmy2; 2012-04-13 at 12:06.

  4. #4
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    That sounds to me like an incorrectly configured router or network DNS settings. I can't say for sure, because it depends on what your service provider offers.

    However, it is reporting a publicly routable IP address for something that should be on your LAN. Running a whois lookup on that IP address indicates it is allocated by OpenDNS LLC. Worse, it is reporting the same IP for a fictitious host name.

    Here is the nslookup of my workstation:

    nslookup office.JPG

    and the same for a random name:

    nslookup random.JPG

    The lookup is being performed on my dsl modem/router which is on 192.168.1.254 The router provides DNS and DHCP for my network. My workstation is allocated 192.168.1.154, which is what is returned when I run the nslookup on it. In the second screen grab, I attempt to lookup a random name and it provides an error message as expected.

    It seems you have a public IP that is allocated by a DNS management company. The IP address suggests that you don't have a LAN in the conventional sense, but possibly a switch (as opposed to a router) which multiplexes the "LAN" network devices connectivity to the public IP. This is why you get the same IP address for different hosts. That seems rather odd and quite probably a big security risk.

    It also seems to backup that fact that you will occasionally see other hosts on "your network", depending on what your hosting company and their DNS settings are - simply because "your network" extends outside your property and onto the internet; and is being managed by your service provider.

    If all of those assumptions are correct, the easiest way to fix it is to connect a router between the incoming modem and your network. The router will provide you with non-publicly routable IP addresses (e.g., 192.168.1.1) and a firewall.

    You might wish to remove or obscure the public IP address from your post too.
    Last edited by Tinto Tech; 2012-04-13 at 11:47. Reason: spelling

  5. #5
    New Lounger
    Join Date
    Oct 2011
    Posts
    14
    Thanks
    0
    Thanked 3 Times in 2 Posts
    First, Yikes! and thank you for the follow-up.

    The router I'm using is indeed between the WISP's radio and my network. It's a Belkin N750DB. Its status screen says "firewall" is enabled, as is UPnP.

    I note in its log that yesterday the following appeared:

    process_local_master_announce: Server WHITE-PC at IP 65.65.138.3 is announcing itself as a local master browser for workgroup WORKGROUP and we think we are master. Forcing election.

    hmmm. "WHITE-PC" is not one of mine.

    Since the router is configured as properly as any router I've ever dealt with, perhaps it's defective in its firewall capabilities. Or perhaps all of this is the result of its extra capabilities (see N750 at Belkin).

    I may switch it out with its predecessor, a Netgear FVS336G. I guess a this point, since I'm not presently seeing the "stray" PCs I'll use the nslookup results to see if the other router yields the kind of results your screen caps showed. From your results I gather that nslookup should show the local IP of the hostname value, and if the hostname is invalid it should say so. My impression of nslookup is that it's for DNS testing, which might cause the results to differ based on the various bits of hardware on the LAN. Isn't there a more suitable tool for Netbios testing?
    Last edited by timmy2; 2012-04-13 at 13:32. Reason: clarity and spelling

  6. #6
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,172
    Thanks
    47
    Thanked 981 Times in 911 Posts
    Master browser election is a netbios thing - why your router is participating in netbios I don't know.
    I suspect those random entries are netbios names that have leaked through the router and can probably be ignored. Routers should not pass netbios traffic.

    cheers, Paul

  7. #7
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Paul, I think the entry is a symptom of the same problem that caused the nslookup to return the same public IP address for his PC and other devices on his LAN. That says to me that his router is not implementing NAT correctly and is not providing DNS for his LAN.

    There are several interesting results that can be inferred from the earlier nslookup result.
    • First, the result came from the router - it responded saying that it has an IP address of 192.168.1.1
    • Second that it was the non-authoritative DNS server for your devices - for normal residential systems it should be the authoritative device for the LAN
    • Third the result was a public IP address for your internal network - not a reserved range of 192.168.x.x.


    There is something very odd indeed with that router.

  8. #8
    New Lounger
    Join Date
    Oct 2011
    Posts
    14
    Thanks
    0
    Thanked 3 Times in 2 Posts
    Thank you, Paul T. I notice in Windows' network browser that the router itself is listed. I assume this is happening because its features include acting as a UPnP/DLNA media server (with attached HDD), a shared backup drive and a USB print server, so it's likely that Netbios is supported.

    I'd sure would like to understand better how Windows 7's network browser compiles its list of PCs and other devices.

  9. #9
    New Lounger
    Join Date
    Oct 2011
    Posts
    14
    Thanks
    0
    Thanked 3 Times in 2 Posts
    The Belkin router is providing DNS for the LAN. It's configured for OpenDNS.

  10. #10
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Quote Originally Posted by timmy2 View Post
    The Belkin router is providing DNS for the LAN. It's configured for OpenDNS.
    So, something is not right with the DNS config: running nslookup for hostnames on your LAN is returning DNS records from OpenDNS rather than from your router.

  11. #11
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,172
    Thanks
    47
    Thanked 981 Times in 911 Posts
    TT, a non-authoritative response is correct for every address, unless the router is the home of that DNS entry.

    timmy, Windows uses a combination of DNS, WINS and netbios to find other devices. Any device on your LAN will broadcast its details and Windows listens for this information. This is stored by the master browser and other computers can query the master browser for machine details. WINS allows broadcasts to work across networks - routers do not pass broadcast traffic so WINS does the work. DNS is used for everything not listed in the previous two mechanisms.

    cheers, Paul

  12. #12
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Quote Originally Posted by Paul T View Post
    TT, a non-authoritative response is correct for every address, unless the router is the home of that DNS entry.

    timmy, Windows uses a combination of DNS, WINS and netbios to find other devices. Any device on your LAN will broadcast its details and Windows listens for this information. This is stored by the master browser and other computers can query the master browser for machine details. WINS allows broadcasts to work across networks - routers do not pass broadcast traffic so WINS does the work. DNS is used for everything not listed in the previous two mechanisms.

    cheers, Paul
    Correct, since the router is responding with a non-authoritative response, it is not the home for the DNS entries for devices on his residential LAN. That is not normal.

    The router would normally provide authoritative responses for local devices, it is after all the DNS server for his LAN.

    No other DNS server should know about his local devices - they are (should be) on the local side of the NAT server and should be assigned local IP's by DHCP (e.g., 192.168.x.x). Instead, when queried for any local device on the LAN, the router is responding with the same a non-authoritative public IP (of the router I suspect).

    By inference then, when the DNS in the router is queried, it cannot find DNS records for his local devices, so it asks the OpenDNS servers. This is the correct rsponse for a DNS server if it can't locate a DNS record. The Open DNS servers respond correctly by saying they are non-authoritative. Since the public IP is returned, it indicates that the router has not asked Open DNS for the local device, but asked for the IP of itself.

    The DNS in the router is broken or misconfigured.

    Since netbios names are being passed through the router further indicates that the router is not functioning as it should.

  13. #13
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,172
    Thanks
    47
    Thanked 981 Times in 911 Posts
    TT, sorry, mis-read timmy's reply. You are correct about the nslookup response. We do seem to agree that the router is odd.

    cheers, Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •