NetBIOS names, NBNS, and SMB: legacy LAN resolution

NetBIOS name service vs DNS

NetBIOS naming predates widespread DNS and was designed for small LANs where broadcast or a central name server could resolve 15-byte computer names. On modern Windows, the legacy stack still participates in discovery and backward compatibility even when DNS is authoritative for your AD domain.

DNS is hierarchical and globally delegated; NetBIOS Name Service (NBNS) on UDP/137 is flat and scoped to a broadcast domain unless a WINS server is configured. SMB file sharing today primarily uses DNS (and FQDNs), but NBNS traffic may still appear when legacy APIs or workgroups query names.

Ports and protocols (practical map)

UDP/137 — NetBIOS Name Service: name registration and query (equivalent conceptual role to DNS for NetBIOS names).
UDP/138 — NetBIOS Datagram Service: datagram broadcast delivery (browsing announcements historically).
TCP/139 — NetBIOS Session over NBT: session layer for SMB over NetBIOS transport.
TCP/445 — SMB directly over TCP: preferred path on modern networks; does not require NBT.

Microsoft documentation and NBTE guidance describe moving workloads to SMB over 445; seeing high volumes of 137/138 may indicate misconfigured clients or IoT gear still using workgroup browsing patterns.

The 15-byte NetBIOS scope (LANA)

A NetBIOS name is 16 characters in the API but the 16th is a suffix (0x00 for workstation, 0x20 for server service, etc.), leaving 15 visible characters. That is why long Windows hostnames truncate in legacy dialogs. Names are case-insensitive and padded; collisions on one segment still break discovery.

WINS vs broadcast vs LLMNR

WINS replicated a NetBIOS name database across subnets—essential before DNS was ubiquitous. Without WINS, NBNS falls back to broadcast, which does not cross routers. LLMNR and mDNS are different protocols solving local name resolution on modern OSes; they coexist with DNS-SD in many homes. Disabling NetBIOS over TCP/IP on an interface stops NBT framing for SMB but evaluate SMB signing and firewall rules so file shares keep working.

Security and segmentation notes

Broadcast name traffic reveals hostnames on a VLAN. In zero-trust designs, limit broadcast domains, monitor UDP 137/138 from IoT VLANs, and prefer Intune/AD-joined DNS for management. For IP context on clients sending these packets, see your public IP context and public vs private IP.

Frequently Asked Questions

Q.Should I disable NetBIOS?

In most modern networks, especially those using IPv6 and modern DNS, NetBIOS is not strictly necessary. However, disabling it can break sharing with older devices, so it's usually best to leave it on the default 'Automatic' setting unless you have a specific security reason to turn it off.

Q.Does disabling NetBIOS break SMB file shares?

Modern SMB prefers TCP/445 without NBT. Disabling NetBIOS over TCP/IP can still break very old clients or apps hard-coded to NBT; test in a pilot VLAN before wide rollout.

Q.What replaces WINS today?

Active Directory DNS with dynamic updates, global catalogs, and proper search suffixes replace most WINS use cases; LLMNR/mDNS may still appear for local discovery on small networks.