Are iOS Devices Breaking DFS Rules?

NOTE: What I thought were probes on channel 52 were actually not transmitted on channel 52. They were transmitted on channel 48. The transmitting devices were close enough to the capturing device that the OFDM signal was strong enough off-channel to be decoded. Click here for the updated blog that explains what really happened. What follows below is my (incorrect) interpretation of what I saw.

I was looking at my Twitter feed not too long ago, and there were a few tweets from a webinar that I was not able to attend. The webinar was hosted by Ekahau, and the presentation was by the excellent Jerome Henry. The slides are available here.

One of the slides describe the channel scanning behavior of iOS clients, particularly how they scan the U-NII-2e channels 100 - 144. The slide indicated that these channels must be scanned passively: the client must dwell on the the channel and listen for beacons, since DFS rules prevent it from sending probes.

The first question that came to mind when I saw the slide: what about U-NII-2, channels 52 - 64? These channels also require DFS, but were not listed on the slide. I thought that it was just an omission. I did some testing with my Motorola G4 and saw that it will not probe out on 52 - 64 unless it hears a beacon. Were iOS devices different? I had to test for myself.

I setup an Aruba IAP-315 in sniffer mode on channel 52 and captured in Wireshark. I used a display filter to see only beacons and probe requests. I took an iPhone SE running 10.3 and removed saved networks to simulate the phone being in a new environment. I turned on Wi-Fi on the phone and placed it less than a foot away from the IAP. This is what I saw:

No beacon frames, but probes from an unregistered MAC address received by the AP at -69 dBm. Keep in mind the phone is less than a foot from the AP. For comparison, I sniffed on channel 36 and saw probes from the same unregistered MAC at -30 dBm.

Next I ran a capture where I switched the channel from 52 to 56. Probe requests where seen on both channels, again with no beacons.

You can see from the time column that enough time is elapsing to see beacons. I didn't see any. I also captured on channels 60 and 64, but did not see any traffic on these channels at all.

So what is happening here? It looks like a client device is transmitting on a DFS channel without first hearing a beacon from a master AP on that channel. I don't think the phone is listening for radar, like an AP; because I see a probe on channel 52 within a second or two of turning Wi-Fi on.

Are DFS rules being broken?