The Responder tool can grab the netntlm hashes of clients on a Microsoft AD network by either using LLMNR to answer queries "accidentally" made by clients by responding as otherwise nonexistent SMB servers, or by responding to WPAD to insert itself as a local proxy server which can require Windows authentication in order to grab the same hashes.
Can this be mitigated by requiring SMB signing by clients on the network? i.e. Would this prevent the client from sending its response to the authentication challenge because the authentication challenge wasn't signed?
I sometimes read about the mitigation being to disable LLMNR, however it seems to me that the same could then be achieved via ARP spoofing or via DNS poisoning (i.e. sending a response to clients because you are suitably positioned to view requests), albeit this would be limited to the current network segment only. Is this correct?