1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa
Earlier a colleague pasted me an entry from his DNS Server logs, a very odd request was being made from a machine on his local network, the request was: 1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa: type PTR, class IN. We both did some quick Googling and found an interesting patent from Apple, "A Method and apparatus for detecting incorrect responses to network queries." This was about the only interesting link and claim 7 of the patent was: The method of claim 6, wherein the format for the exploratory query is for the name "1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa.".
Another link pointed to an old mailing list post from the Unsuppoted OS X mailing list. An OS X user, upon upgrading from 10.4.3 to 10.4.4 noticed that his "old school" MacDNS server was crashing then the above request was made. More specifically the request was accepted, not resolved and passed on to the ISP DNS server, the failure response was the actual cause of the crash.
I decided to do some digging and found a very brief mention of Bonjour, so I decided to browse over to the Apple website and download and install Bonjour for Windows. I also opened Wireshark, filtered to capture DNS only, to watch for any odd traffic. One of the last steps in the install was, "Setting up Bonjour Service". This service is set to automatic and starts the file: "C:\Program Files\Bonjour\mDNSResponder.exe". Within seconds of seeing that message, I noticed the above DNS request go by in Wireshark.
Now if anyone sees this strange request in their DNS logs and Googles for an answer, hopefully they'll find this... and for anyone interested... here's the packet:
0000 00 00 24 c2 74 51 00 1a 92 2f df 91 08 00 45 00 ..$.tQ.../....E.
0010 00 59 6f 40 00 00 ff 11 c8 9c c0 a8 01 65 c0 a8 .Yo@.........e..
0020 01 01 db 12 00 35 00 45 8b 30 79 b9 01 00 00 01 .....5.E.0y.....
0030 00 00 00 00 00 00 01 31 01 30 01 30 03 31 32 37 .......1.0.0.127
0040 0a 64 6e 73 62 75 67 74 65 73 74 01 31 01 30 01 .dnsbugtest.1.0.
0050 30 03 31 32 37 07 69 6e 2d 61 64 64 72 04 61 72 0.127.in-addr.ar
0060 70 61 00 00 0c 00 01 pa.....
Weird, so the whole point of that request is to see how the DNS server handles an invalid request? Great!
Hi,
i found the same “funny Packet” while monitoring our Network.
And **Surprise** i first googled “dnsbugtest” and found this page
At our case it was a Windows Laptop with the Apple Safari Browser Windows Edition who has the mDNSResponder piggybag.
thanks for the Post
D4ngerM0use, GERMANY
I found this page today when searching for “dnsbugtest” after seeing it in a trace I took of traffic from my iPhone. Apparently, Apple has this in all their products.
These still occur, at least with Leopard, and are very weird.
i noticed some strange dns.server logs. Googling for “dnsbugtest.1.0.0.127″ yielded your site. Thanks.
Today, my Firewall warned me the first time, that “bonjour service” tries to send data to 1.0.0.127.dnsbugtest.1.0.0.127.in.addr.ar
I searched my mind, what I did or installed last on my computer, but couldnĀ“t get around it.
Now, with frequently mention of apple, it came to me (I forgot, because the last action is a week ago, due to my honeymoon): I installed the very newest update of ITunes. I think, this is the clue to it.
Thanks!
And what do you suppose it does with this information? How odd.
1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa
I to was seeing these and went straight to google. The computer in question does have bonjour installed and you saved me the trouble of trying to figure it out.
Thanks
Sometimes I see whole floods of these on our ISP customer network. Then after a while other domain names are mentioned in the query, then eventually it dies out.
11:44:19.989102 IP 10.0.1.2.31921 > 10.0.3.4.53: 21411+ PTR? 1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa. (61)
The flood of them is so fast it bogs stuff down.
Hi! This info is important. In my network, I have sort of 900+ pcs, and a lot of DNS queries are like these – wasting work of my local DNS server. So, I will take an active role on deinstalling any Bonjour software (just as we disabled the similar SSDP service) on the next maintenance stop of the pcs. Maybe at home or at little SOHOs could be useful to know the "quality" of the routers periodically (just as if suddenly the router dns processing failed or autofixed itself hehe), but not at the medium/large networks.
My DNS servers are functioning properly; we don't need no stinking bonjours asking every three seconds the same question again and again. I can't believe Apple/Microsoft couldn't at least give it a 60 seconds cache time!!! Talking about fatware and useless protocols…
Sorry for the rant – simply I couldn't help it.
I installed (and uninstalled) Safari browser today and went searching for the cause of this packet. I landed on this page first…thanks. 12/14/09
0×0000 00 08 54 B1 27 1D 00 23-CD C4 CF 64 08 00 45 00 ..T±'..#ÍÄÏd..E.
0×0010 00 A0 96 F1 40 00 FB 11-55 CD CF FF 00 82 C0 A8 . –ñ@.û.UÍÏÿ.‚À¨
0×0020 01 64 00 35 DC 71 00 8C-47 07 4A 49 85 83 00 01 .d.5Üq.ŒG.JI…ƒ..
0×0030 00 00 00 01 00 00 01 31-01 30 01 30 03 31 32 37 …….1.0.0.127
0×0040 0A 64 6E 73 62 75 67 74-65 73 74 01 31 01 30 01 .dnsbugtest.1.0.
0×0050 30 03 31 32 37 07 69 6E-2D 61 64 64 72 04 61 72 0.127.in-addr.ar
0×0060 70 61 00 00 0C 00 01 03-31 32 37 07 69 6E 2D 61 pa……127.in-a
0×0070 64 64 72 04 61 72 70 61-00 00 06 00 01 00 01 51 ddr.arpa…….Q
0×0080 80 00 2B 09 6C 6F 63 61-6C 68 6F 73 74 C0 3D 08 €.+.localhostÀ=.
0×0090 6C 6F 6F 70 62 61 63 6B-C0 3D 00 00 00 03 00 00 loopbackÀ=……
0x00A0 2A 30 00 00 0E 10 00 09-3A 80 00 01 51 80 *0……:€..Q€