You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

constant DNS querying for 127.0.0.1

Hello,

I'm quite puzzled... I noticed a constant low bandwidth traffic on the WAN port of the router and tracked it back to the MacOS X (10.5.2) host constantly DNS querying for 127.0.0.1 (about every three seconds). I am using DHCP and the network configuration picks up the external DNS server.

I thought this localhost information should be picked up directly from /etc/hosts (in my case)
cat /etc/hosts
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost

and there should be no need to ask for this reverse DNS name resolution to the external DNS server.

do I really have to use dscl and create an entry for localhost to stop this DNS querying activity?

andrea

MacMini G4 1.5GHz, Mac OS X (10.5.2)

Posted on Mar 2, 2008 6:50 AM

Reply
31 replies

Mar 3, 2008 10:08 AM in response to xnav

as suspected the Directory Service (DS) stuff on Leopard is actually OK...

$ dscacheutil -q host -a ip_address 127.0.0.1
name: localhost
ip_address: 127.0.0.1

whilst performing a tcpdump:
$ sudo tcpdump -A -n -i en1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
18:03:51.903993 IP 192.168.21.100.5353 > 192.168.21.1.53: 63898+[|domain]
E..YW..........d.......5.E.y.............1.0.0.127
dnsbugtest.1.0.0.127.in-addr.ar
18:03:51.923450 IP 62.31.176.39.53 > 192.168.21.100.5353: 63898 NXDomain[|domain]
E....3@...9.>..'...d.5....x3.............1.0.0.127

repeated every 3 seconds.

whatever causes this ... it does not use DS, strongly suspect a kernel related activity.

Mar 3, 2008 11:03 AM in response to xnav

I compared your netstat and the only significant difference is that I am not running a vnc or ssh listener.


dtracing/dtrussing these processes doesn't show any problems

Also, my router does not provide any DNS services.


in your case then the DHCP provided DNS IP address is the external one (correct?)

Again, my system is not polling 127.0.0.1.


different router as well...

checked a friend's PPG G5 with 10.5.2 and a similar router and the same problem arises (without running VNC nor ssh).

Mar 3, 2008 12:05 PM in response to aBarbieri

Hi aBarbieri, you're correct that this query is being generated by mDNSResponder. It's not actually querying for 127.0.0.1, it's doing a special bogus query to detect if you own a buggy router. The test looks like this.

*dig 1.0.0.127.dnsbugtest.1.0.0.127.in-addr.arpa ptr*

Buggy routers will respond with "localhost" to the above query. The correct response is NXDOMAIN because that name doesn't really exist in DNS.

Can you look in system.log and post all messages that contain "mDNSResponder"?

Mar 3, 2008 12:44 PM in response to aBarbieri

Yeah, I think the problem is that your machine is sending the dns-bug-test query to your router's DNS proxy at 192.168.21.1, but then the query is being incorrectly forwarded along to your ISP's DNS server of 62.31.176.3, and then your ISP's DNS server is correctly responding with NXDOMAIN but the NAT translator is not translating the source IP address of the response, so it reaches mDNSResponder with an apparent source IP address of 62.31.176.39, and mDNSResponder rejects it because it looks like a spoofed response. So two separate bugs in your router are causing this. As you've discovered, you can work around this by setting your machine's DNS server to 62.31.176.39, thus bypassing the DNS proxy in your router.

Mar 3, 2008 12:53 PM in response to Snoop Dogg

Hello,

the system.log simply contains entries like this:
Mar 3 11:07:38 localhost mDNSResponder mDNSResponder-170 (Jan 4 2008 18:04:16)[16]: starting

so the tcpdump shows the router responding correctly with a NXDOMAIN reply
20:10:52.401762 IP 192.168.21.103.5353 > 192.168.21.1.53: 810+[|domain]
E..Y$:.........g.......5.E...*...........1.0.0.127
dnsbugtest.1.0.0.127.in-addr.ar
20:10:52.419083 IP 62.31.176.39.53 > 192.168.21.103.5353: 810 NXDomain[|domain]
E.....@.....>..'...g.5....3..*...........1.0.0.127
dnsbugtest.1.0.0.127.in-addr.ar

why then mDNSResponder performs this test only once when I use the external DNS IP address whilst repeats itself every 3 seconds for a local one?

this happens as well if I start the local named service and make it a forward only DNS server using as forwarder address the very same external DNS IP address.

Message was edited by: aBarbieri
just read the previous response. so the error is in the router OS not to translate back the IP address of the DNS response (it should use the router IP address rather than the external DNS IP address)

Mar 3, 2008 12:58 PM in response to aBarbieri

Yeah, notice that the query is sent to 192.168.21.1, but the response is sent from 62.31.176.39, so the response gets ignored (and the query gets re-transmitted over and over). When you set your DNS server IP address to 62.31.176.39, the query will be sent to 62.31.176.39, and the response will be sent from 62.31.176.39, so mDNSResponder will accept the response.

constant DNS querying for 127.0.0.1

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.