Jami sending DNS requests to 58.249.126.8 in China?

petep · May 4, 2025, 11:15am

Hi!

I’ve observed some strange behaviour and I’d like to understand this a little better.

Jami is sending malformed DNS requests to 58.249.126.8

inetnum: 58.249.0.0 - 58.249.127.255
netname: GuangZhou-unicom
descr: United-Communications-Network-Technology-Co-Ltd, GuangZhou
country: CN

The requests looks like this:

1 12:00:55.099048962 10.0.0.1 → 58.249.126.8 DNS 123 Unknown operation (12) 0x85a1[Malformed Packet]
2 12:00:55.419708993 58.249.126.8 → 10.0.0.1 DNS 349 Unknown operation (14) 0x84a1 Unknown (57636) [Malformed Packet]
3 12:01:05.029569645 10.0.0.1 → 58.249.126.8 DNS 123 Unknown operation (12) 0x85a1[Malformed Packet]
4 12:01:05.029587512 10.0.0.1 → 58.249.126.8 DNS 123 Unknown operation (12) 0x85a1[Malformed Packet]
5 12:01:05.306361767 58.249.126.8 → 10.0.0.1 DNS 349 Unknown operation (14) 0x84a1 Unknown (31057) [Malformed Packet]
6 12:01:06.147904164 10.0.0.1 → 58.249.126.8 DNS 123 Unknown operation (12) 0x85a1[Malformed Packet]
7 12:01:06.435244069 58.249.126.8 → 10.0.0.1 DNS 349 Unknown operation (14) 0x84a1 Unknown (57636) [Malformed Packet]

Anyone know what’s happening here?

Jami is on Rocky 9
jami-20250430.0-1.el9.x86_64

Regards,

P.

W192547975 · May 4, 2025, 1:45pm

Hmm, what is your default DNS server address?

petep · May 4, 2025, 4:12pm

I can confirm that this IP doesn’t appear in my /etc/resolv.conf as a nameserver. All other applications use the NS hosts which are listed there. Only Jami is connecting to this IP address which I have not heard of before.

Rubus_chiliadenus · May 4, 2025, 5:08pm

It may be an OpenDHT node which listens on port 53. You can capture some packets and try deserializing them with a MessagePack library.

petep · May 9, 2025, 2:03pm

Caveat: I’m not a developer

I have done a dump of the packets but it isn’t plain text. The only recognisable strings I can see are:

target
q.find.t
token

Does this sound typical of a OpenDHT packet?

Thanks.

Rubus_chiliadenus · May 9, 2025, 4:01pm

Probably, I also found them in parsed_message.h of OpenDHT (Jami used this library).

github.com/savoirfairelinux/opendht

src/parsed_message.h

master

/*
 *  Copyright (C) 2014-2023 Savoir-faire Linux Inc.
 *  Author(s) : Adrien Béraud <adrien.beraud@savoirfairelinux.com>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program. If not, see <https://www.gnu.org/licenses/>.
 */
 #pragma once

#include "infohash.h"

This file has been truncated. show original

Do you mind parsing those packets with the demo page of msgpack-lite ?

hkk · May 9, 2025, 8:20pm

If it’s a dht node then don’t worry too much about it

petep · May 10, 2025, 11:17am

Good call on parsed_message.h . That’s convincing evidence for the DHT case. However I was unable to get the packets to deserialise using the msgpack demo. This implies one of two things:

They’re not OpenDHT packets
I didn’t do it right!

Mmmm..

Rubus_chiliadenus · May 11, 2025, 11:30am

My bad. I forgot to mention the demo isn’t friendly on decoding, it requires that you insert a space between bytes.

Sorry.

petep · May 11, 2025, 12:08pm

Now I’m getting somewhere. The request (not reply) from my machine running Jami looks like this:

{
“a”: {
“id”: {
“type”: “Buffer”,
“data”: [
239,
… etc
“target”: {
“type”: “Buffer”,
“data”: [
187,
etc…
},
“q”: “find”,
“t”: 1234567890,
“y”: “q”,
“v”: “o2”
}

and something else that might be significant, the requests take place exactly every 10 minutes.

Is this OpenDHT?

Thanks.

Rubus_chiliadenus · May 11, 2025, 3:13pm

Yes, and it’s a request to find node.

github.com/savoirfairelinux/opendht

src/network_engine.cpp

c3669cfd3


      
          msgpack::sbuffer buffer;
          msgpack::packer<msgpack::sbuffer> pk(&buffer);
          pk.pack_map(5+(config.network?1:0)+(config.is_client?1:0));
          
          pk.pack(KEY_A); pk.pack_map(2 + (want>0?1:0));
            pk.pack(KEY_REQ_ID);     pk.pack(myid);
            pk.pack(KEY_REQ_TARGET); pk.pack(target);
          if (want > 0) {
            pk.pack(KEY_REQ_WANT);
            pk.pack_array(((want & WANT4)?1:0) + ((want & WANT6)?1:0));
            if (want & WANT4) pk.pack(AF_INET);
            if (want & WANT6) pk.pack(AF_INET6);
          }
          
          pk.pack(KEY_Q); pk.pack(QUERY_FIND);
          pk.pack(KEY_TID); pk.pack(tid);
          pk.pack(KEY_Y); pk.pack(KEY_Q);
          pk.pack(KEY_UA); pk.pack(OPENDHT_UA);
          if (config.network) {
              pk.pack(KEY_NETID); pk.pack(config.network);

This file has been truncated. show original

petep · May 11, 2025, 3:36pm

Thanks Rubus. Good to have that confirmation. I can rest easy now!

Thanks again for your help.