Why does our network firewall drop the netbios ns packets?
In our local domain environment, we use Sophos UTM to protect our network. When I check the firewall logs, I can see that a huge number of packets dropped by the firewall are netbios-ns (UDP 137) broadcasts. Checking for more details reveals that these blocked packets were all generated by one of the DCs. My questions are:
How to deal with this? Why are they all generated by only one of our DNS servers and not the other two (we have 3 DNS servers)? I would really like to know if it is safe to disable NetBIOS as DNS is supposed to serve the purpose.
It is dropping the netbios ns packets to prevent NBNS-Spoofing. Anybody can answer NBNS requests and the requesting host will accept any answer. This enables MitM attacks. You're right that DNS provides the same service more securely and unless you have some legacy systems in your network, it should be safe to disable NetBIOS. In the worst case, having NBNS enabled can lead to a domain administrator account being compromised by an unauthenticated attacker (if the account is used improperly and has a weak password - nothing that hasn't been heard of before). I assume that unlike the other two DCs one of your DCs is configured to use NBNS on top of DNS. As far as I know, clients mimic the behaviour of the DCs in this case by default.