TC 9.0b1 updater just says hosts=null

[glipman]

I get the same nslookup response "*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for releaseversion.ghisler.com" from my pfSense firewall.

How can 10.x.x.x ever work? It is in the private range and I could very well be using 10.x.x.x in my internal network. It is not routable over the internet?

Maybe I am missing something but what is wrong with creating a simple file http://ghisler.com/version.txt that is downloaded by the update-checker? You have full control over the website after all?

[wanderer]

Maybe I am missing something but what is wrong with creating a simple file http://ghisler.com/version.txt that is downloaded by the update-checker? You have full control over the website after all?

Christian is probably trying to avoid having all TC users checking once a day for a new TC version in order to not overload his server(s?) and for bandwidth consumption. It's a clever idea actually because with nslookup, the user-provider's DNS servers end up bearing the load. Unfortunately as it seems, the implementation has some issues...

[Hacker]

glipman,
DNS is the most safe bet to get through. If DNS does not get through, nothing (that is not on some kind of whitelist) does.

Roman

[Sob]

2ghisler(Author):
DNS is designed to be extensible, so resolvers should handle all records equally, including unknown ones. The last part may not be always true, but it's not the case for TXT, because it's old, well-known and used by millions every day (e.g. SPF or DKIM records for e-mail use TXT records). I wouldn't be affraid at all to use it.

To resolve TXT records, I know about API for Windows 2000 and newer. My cut down example: http://web.hisoftware.cz/sob/tc/DnsTest.dpr (Lazarus has proper unit for it, JwaWinDNS). I did not find any standard API for older systems.

Using AAAA records probably doesn't have any advantage. It won't help with older systems (unless you'd want to construct DNS queries yourself, process replies and everything).

Unless you use a range of addresses which belongs to you . I don't know however what would be the yearly cost for such a bunch of IPs.

Aside from being "a little" wasteful (if it used the same "encoding scheme"), there's no way *anyone* can get such big block of addresses today. Last time it was possible was few decades ago, if you were someone like IBM.

2glipman: It's a little hack, where TC version numbers are put in fake IP address. TC resolves the hostname, looks at numbers and that's it, there are no connections anywhere. The nice thing is that it can be very light on resources, because DNS replies are cached. So if thousand TC users have same ISP and they use provided DNS servers, it could take only one query to Ghisler's DNS server to serve them all, instead of thousand separate http requests. Currently it's not completely true, because the record has validity only 60 seconds, which is unnecessarily low and should be increased.

[Dalai]

It's a little hack, where TC version numbers are put in fake IP address. TC resolves the hostname, looks at numbers and that's it, there are no connections anywhere.

Ah, now I got it. Until now I had thought of similar ways like glipman (put some file somewhere that TC can download and check).

DNS is the most safe bet to get through.

Are you sure about this? What about manipulations of DNS responses like Deutsche Telekom does ("Navigationshilfe")? IIRC OpenDNS does similar DNS things.

2Ghisler:
What does TC do if it finds that a new version is available? Does it offer to open the default browser with TC homepage or something?

Regards
Dalai

[Emalis.Reckah]

When TC is up to date you get shown:
"1792="Total Commander is aktuell.""

When there is a new version avail you get a dialog with
1790="Ein Update ist verfügbar:" [probably new version nr here]
1791="Homepage zum Herunterladen besuchen?"
^- I suppose opens default web browser

[LogicDaemon]

+1 to the OP.

I guess some severs (OpenDNS as example) filter out internal IPs due to security concerns:

Code: Select all

>nslookup releaseversion.ghisler.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    releaseversion.ghisler.com
Address:  10.9.0.130


>nslookup releaseversion.ghisler.com 208.67.222.222
Server:  resolver1.opendns.com
Address:  208.67.222.222

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for releaseversion.ghisler.com

[glipman]

I am using pfSense as my firewall/ DNS server. From their documentation:

Code: Select all

The DNS forwarder (dnsmasq) uses the option --stop-dns-rebind by default, which rejects and logs addresses from upstream nameservers which are in the private IP ranges. In the most common usage, this is filtering DNS responses received from the Internet to prevent DNS rebinding attacks. Internet DNS responses should never come back with a private IP, hence it's safest to block this.

The DNS trick with an IP in the private range will fail for anyone using pfSense or more general for anyone using dnsmasq with --stop-dns-rebind.

[Emalis.Reckah]

The DNS trick with an IP in the private range will fail for anyone using pfSense or more general for anyone using dnsmasq with --stop-dns-rebind.

So we now can move this topic to the ENGLISH forum as it is NOT a BUG
but your choosing

Seriously Chris way is the smartest one. Otherwise people could hammer his server to death....

[Lefteous]

2ghisler(Author)

So any better ideas to do the update check without needing a 100 server farm?

Something like this:
https://aws.amazon.com/de/sns/

[ghisler(Author)]

To those with the name server plugin: Could you try this command, please:

nslookup -type=TXT releaseversion.ghisler.com

Should return something like this:

Code: Select all

releaseversion.ghisler.com      text =

        "10.9.0.131,10.8.51.1"

[Hacker]

Dalai,

Are you sure about this?

Pretty much.

What about manipulations of DNS responses like Deutsche Telekom does ("Navigationshilfe")? IIRC OpenDNS does similar DNS things.

What would those be?

Christian,

To those with the name server plugin

What's that?

Code: Select all

nslookup -type=TXT releaseversion.ghisler.com

Results here in:

C:\>nslookup -type=TXT releaseversion.ghisler.com
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
releaseversion.ghisler.com text =

"10.9.0.131,10.8.51.1"

Roman

[Dalai]

What about manipulations of DNS responses like Deutsche Telekom does ("Navigationshilfe")? IIRC OpenDNS does similar DNS things.

What would those be?

Well, the mentioned ISP doesn't send a proper response (NXDOMAIN) to a request of a non-existent domain/address. Instead, they redirect the user to a special portal, to "help" people find what they're looking for. This is bad behavior and breaks certain services, e.g. e-mail or other non-web stuff. If I send an e-mail to a non-existent domain, maybe due to a typo, I want a proper response (Mailer daemon mail), not some bullshit.

Yes, this "feature" can be switched off by the ISP customer in their T-Online portal (but it's the customer's thing to do). And, yes it might not be a problem for the use case we're discussing. However, there might be other DNS manipulations we know nothing about. But they would most likely make a problem with a different kind of update check, too.

Regards
Dalai

[glipman]

I do not understand what a 'name server plugin' is but with my pfSense firewall I get a proper response

Code: Select all

nslookup -type=TXT releaseversion.ghisler.com
Server:  pfSense.jgl.local
Address:  192.168.5.2

Non-authoritative answer:
releaseversion.ghisler.com      text =

        "10.9.0.131,10.8.51.1"

[Hacker]

Dalai,

And, yes it might not be a problem for the use case we're discussing.

That is correct.

Roman