VYPR
researchPublished Jul 7, 2026· 1 source

macOS DNS Queries for Obsolete NetBIOS Records Raise Security Questions

macOS systems are generating unusual DNS queries for NIMLOC (Type 32) records, which, despite their historical association with an obsolete routing architecture, are actually tied to NetBIOS name service broadcasts.

Recent analysis of DNS logs has highlighted a peculiar phenomenon: macOS systems are issuing queries for NIMLOC (Type 32) DNS records. While the name 'NIMLOC' and its association with the defunct Nimrod routing architecture might suggest an outdated or irrelevant network activity, the reality points to a more persistent, albeit old, networking standard still in use.

Historically, NIMLOC records were designed for the Nimrod routing architecture to map names to network locators. However, this protocol was experimental and never saw widespread adoption, leading to NIMLOC records being considered obsolete and unused in modern network operations. The presence of these queries on macOS systems initially baffled researchers, as it seemed unlikely that modern operating systems would be interacting with such an archaic system.

The true origin of these queries lies not in the Nimrod architecture, but in the continued use of NetBIOS over TCP/UDP by macOS for name announcements. NetBIOS, an older standard for network communication, is still employed by macOS for broadcasting its presence and name on the network. This broadcast activity, which occurs on port 137, is what triggers the DNS queries.

DNS defines various resource record types, with NIMLOC (Type 32) originally assigned for NetBIOS General Name Service ('NB') and Type 33 for NetBIOS Node Status ('NBSTAT'). While modern Windows networks have largely transitioned away from NetBIOS, relying on DNS and SMB over TCP, macOS continues to utilize this older protocol. This persistence means that even though NetBIOS itself is largely phased out, its underlying mechanisms are still generating network traffic that can appear as unusual DNS queries.

Zeek, a popular network security monitoring tool, translates these Type 32 resource records to 'NIMLOC' in its logs. This naming convention aligns with the current IANA assignment for Type 32, which is 'Nimrod Locator.' However, the actual network traffic being observed is NetBIOS name service broadcasts, not communications related to the Nimrod routing scheme. This discrepancy can lead to confusion when analyzing network logs, as the label in the logs does not directly reflect the underlying protocol.

The implications of this finding are primarily related to network visibility and log analysis. Security professionals monitoring DNS traffic might encounter these NIMLOC queries and, without understanding the NetBIOS connection, could misinterpret them as indicators of obscure or potentially malicious activity. Recognizing that these are legitimate, albeit old, macOS network broadcasts is crucial for accurate threat detection and network troubleshooting.

While not a direct security vulnerability in itself, the continued reliance on older protocols like NetBIOS by modern operating systems presents a potential area for misinterpretation in security monitoring. It underscores the importance of understanding the full context behind network traffic, especially when dealing with legacy protocols that persist in unexpected places. The queries themselves are a byproduct of normal macOS network name resolution, but their unusual record type can be a red herring for security analysts.

Synthesized by Vypr AI