Disable LLMNR Linux

What the LLMNR disabler does

This Automox Worklet™ disables Link-Local Multicast Name Resolution (LLMNR) on Linux endpoints running systemd-resolved. LLMNR is a legacy name resolution protocol that allows hosts to resolve names on the local network without a DNS server. While convenient, it creates significant security risks.

The Worklet modifies /etc/systemd/resolved.conf to explicitly set LLMNR=no. This prevents the endpoint from responding to or trusting LLMNR queries, eliminating a common attack vector for credential theft.

conf".

Why disable LLMNR on managed endpoints

LLMNR poisoning is a well-known attack technique used in penetration testing and by real attackers. Tools like Responder can impersonate any hostname on the local network by responding to LLMNR queries before legitimate servers. This allows attackers to capture NTLMv2 hashes, relay authentication, or redirect traffic to malicious servers.

In enterprise environments with proper DNS infrastructure, LLMNR provides no benefit. DNS handles all name resolution needs. Disabling LLMNR removes a legacy protocol that only serves as an attack surface.

Security frameworks and compliance standards recommend disabling LLMNR. This Worklet helps you meet these requirements consistently across your Linux fleet while reducing your attack surface.

How LLMNR disabling works

1. Evaluation phase: Searches /etc/systemd/resolved.conf for the pattern LLMNR=no (case-insensitive). If found, the endpoint is compliant. If not found or set to another value, remediation is triggered.

2. Remediation phase: Uses sed to replace any existing LLMNR line with LLMNR=no in /etc/systemd/resolved.conf. The change is verified by checking the file again. A system restart is required for the change to take effect.

LLMNR configuration requirements

• Linux endpoints using systemd-resolved for name resolution

• /etc/systemd/resolved.conf must exist with an LLMNR setting to modify

• Root privileges for the Automox agent

• Restart or reboot required after remediation to apply the change

Expected name resolution behavior after remediation

After remediation and restart, the endpoint no longer participates in LLMNR. Verify by checking that LLMNR=no appears in /etc/systemd/resolved.conf. You can also run resolvectl status to confirm LLMNR is disabled in the current configuration.

Name resolution continues to work through DNS. Only the fallback to LLMNR is disabled. Endpoints are protected from LLMNR poisoning attacks on the local network.

How to validate disable llmnr linux changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for disable llmnr linux.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit, else.

4. Validate remediation effects from script operations such as sed, exit, else, then rerun evaluation for compliance.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable llmnr linux. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as sed, exit, else. Use these indicators to verify that endpoint changes match intended policy outcomes.

For technical validation, compare endpoint state to the Worklet evaluation logic and remediation flow for disable llmnr linux. This supports repeatable security workflows, faster change control review, and auditable compliance evidence.

Useful script references for this Worklet include evaluation operations such as exit, else and remediation operations such as sed, exit, else. Use these indicators to verify that endpoint changes match intended policy outcomes.