In which an obscure conundrum is exposed

Published on Friday, the 28th of October, 2011
Some time ago someone reported issues accessing cpan.catalyst.net.nz a little peculiar and puzzling at the time, but we put it down to some weird DNS cache issues and moved on.Turns out the problem is a DNS one, though not what we were thinking at the time:$ host -t aaaa mail.catalyst.net.nzmail.catalyst.net.nz has IPv6 address 2404:130:0:10::40:02404:130:0:10::40:0 == 2404:0130:0000:0010:0000:0000:0040:0000$ echo $((0x24)).$((0x04)).$((0x01)).$((0x30))36.4.1.48So somewhere, some crappy device is getting a bunch of bytes back when it asks DNS for the address of something, and then it's taking the first four of them and calling that the IP address.Kudos to David Clarke for spotting the actual problem.

Some time ago someone reported issues accessing cpan.catalyst.net.nz a little peculiar and puzzling at the time, but we put it down to some weird DNS cache issues and moved on.

Turns out the problem is a DNS one, though not what we were thinking at the time:


$ host -t aaaa mail.catalyst.net.nz
mail.catalyst.net.nz has IPv6 address 2404:130:0:10::40:0

2404:130:0:10::40:0 == 2404:0130:0000:0010:0000:0000:0040:0000

$ echo $((0x24)).$((0x04)).$((0x01)).$((0x30))
36.4.1.48

So somewhere, some crappy device is getting a bunch of bytes back when it asks DNS for the address of something, and then it's taking the first four of them and calling that the IP address.

Kudos to David Clarke for spotting the actual problem.

I'll still take a bung DNS

Submitted by David Clarke (not verified) on 28 October 2011 - 5:11pm.

I'll still take a bung DNS resolver or two over "DNS poisoning for at least the last eighteen months from a source inside China" any day. :-)

$ whois 36.4.1.48 | grep netname
netname: CHINANET-AH

Yeah, for sure.

Submitted by andrew on 28 October 2011 - 9:20pm.

It could be very scary to discover that if, say, you were four weeks out from a national election or something, and you had some kind of security auditor breathing down your neck asking pointed questions...

So, how do I fix this?

Submitted by Jonathan Harker (not verified) on 13 February 2012 - 2:34pm.

I get 36.4.1.48 intermittently for the address for socrates.catalyst.net.nz but only from some Ubuntu boxen. How do I fix it? arp -d doesn't seem to...

Use a DNS resolver that actually reads the response

Submitted by andrew on 21 February 2012 - 10:55pm.

Well, what else can I say? If you're occasionally getting this (from some Ubuntu boxen) you need to work out what it is in your DNS resolver stack that is screwing with your head :-)

[D] [Digg] [FB] [R] [SU] [Tweet]