10.16.07
1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa
Earlier a colleague pasted me an entry from his DNS Server logs, a very odd request was being made from a machine on his local network, the request was: 1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa: type PTR, class IN. We both did some quick Googling and found an interesting patent from Apple, "A Method and apparatus for detecting incorrect responses to network queries." This was about the only interesting link and claim 7 of the patent was: The method of claim 6, wherein the format for the exploratory query is for the name "1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa.".
Another link pointed to an old mailing list post from the Unsuppoted OS X mailing list. An OS X user, upon upgrading from 10.4.3 to 10.4.4 noticed that his "old school" MacDNS server was crashing then the above request was made. More specifically the request was accepted, not resolved and passed on to the ISP DNS server, the failure response was the actual cause of the crash.
I decided to do some digging and found a very brief mention of Bonjour, so I decided to browse over to the Apple website and download and install Bonjour for Windows. I also opened Wireshark, filtered to capture DNS only, to watch for any odd traffic. One of the last steps in the install was, "Setting up Bonjour Service". This service is set to automatic and starts the file: "C:\Program Files\Bonjour\mDNSResponder.exe". Within seconds of seeing that message, I noticed the above DNS request go by in Wireshark.
Now if anyone sees this strange request in their DNS logs and Googles for an answer, hopefully they'll find this... and for anyone interested... here's the packet:
0000 00 00 24 c2 74 51 00 1a 92 2f df 91 08 00 45 00 ..$.tQ.../....E.
0010 00 59 6f 40 00 00 ff 11 c8 9c c0 a8 01 65 c0 a8 .Yo@.........e..
0020 01 01 db 12 00 35 00 45 8b 30 79 b9 01 00 00 01 .....5.E.0y.....
0030 00 00 00 00 00 00 01 31 01 30 01 30 03 31 32 37 .......1.0.0.127
0040 0a 64 6e 73 62 75 67 74 65 73 74 01 31 01 30 01 .dnsbugtest.1.0.
0050 30 03 31 32 37 07 69 6e 2d 61 64 64 72 04 61 72 0.127.in-addr.ar
0060 70 61 00 00 0c 00 01 pa.....
LonerVamp said,
October 16, 2007 at 10:28 am
Weird, so the whole point of that request is to see how the DNS server handles an invalid request? Great!
D4ngerM0use said,
June 8, 2008 at 8:34 pm
Hi,
i found the same “funny Packet” while monitoring our Network.
And **Surprise** i first googled “dnsbugtest” and found this page
At our case it was a Windows Laptop with the Apple Safari Browser Windows Edition who has the mDNSResponder piggybag.
thanks for the Post
D4ngerM0use, GERMANY