> There are tens of thousands projects on SourceForge ...
... and coincidentally BOM and Notepad++ are the most used SF-project on my PC ;-)
> do you expect each project to be hosted on their own (expensive) server?
> Do you expect that SourceForge reserves tens of thousands IP, ... ?
No, I dont expect this. I would expect, that the Notepad++-Updater didnt Access an IP, but uses an subdomain to contact the server (like "notepad-plus.sourceforge.net").
Additionally, i would expect, that a DNS-Request for the SF-Server-IP didnt return a subdomain of one project, but returns the main domain (without project-specific subdomain).
But: No Problem, this isnt a really problem, and so everything is fine :)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is the same shared server on SourceForce, that hosts several projects. Your local DNS cache has just remembered or found ONE of the hostnames associated to the IP.
All projects on SourceForge could map to the same IP, there's not one distinct IP assigned per project (SourceForge disseminates the various hosted projects on its servers, according to their relative load, some important and very active projects may use more hosts.
You should remember that there's NO dedicated server per SourceForge project), unless some project has paid SourceForge to reserve and manage dedicated servers for use only by themselves and no other unrelated project, so that they can guarantee a minimum supported workload for themselves.
There are tens of thousands projects on SourceForge, do you expect each project to be hosted on their own (expensive) server? Do you expect that SourceForge reserves tens of thousands IP, one for each project that is hosted without even paying anything to SourceForge? Really it would not work, or SourceForge would seriously mack money or would have to limit the number of hosted projects.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Note tfinally that your local firewall does not know really which domain name you are trying to access when it detects the IP traffic, because it does not seem to monitor DNS resolution requests and replies. So when it sees an unknown traffic to some IP, it performs an inverse resolution of the IP address, using the DNS client on your local host that looks for the host name in the following order:
* First it looks for the hostname in your local C:\Windows\System32\drivers\etc\hosts file to see if there's a match (note that this file may be a security issue)
* If not found there, it then uses the local DNS client cache (to see if a recent DNS resolution has cached the resolution reply for the pseudo domain name "C.D.B.A.in-addr.arpa" where "D.C.D.A" is the IP address in dotted decimal format but reversed.
* If not found in the local cache, then it will contact your configured DNS server(s) to query the "C.D.B.A.in-addr.arpa" pseudo-domain name: this may be a DNS server on you LAN, or a DNS proxy integrated in your router, and if so, they will use their own local cache, or will query the upstream DNS server of your Internet provider.
* The DNS server of your provider will also use its own local cache, and if not found, it will proxy the resolution request to its upstream DNS servers or via the DNS root servers that will try to locate the registry hosting successively the following pseudo-domains, in that order, to locate the final DNS server containing the info:
(1) request the root DNS servers to look for the DNS servers for the domain ".arpa"
(2) query the DNS servers found to look for the DNS servers for the domain ".in-addr.arpa"
(3) query the DNS servers found to look for the DNS servers for the domain "A.in-addr.arpa"
(4) query the DNS servers found to look for the DNS servers for the domain "B.A.in-addr.arpa"
(5) query the DNS servers found to look for the DNS servers for the domain "C.B.A.in-addr.arpa"
(6) query the DNS servers found to look for the DNS servers for the host name of "D.C.B.A.in-addr.arpa"
There may be less queries performed each time, if one of these servers already have a reply for subdomains in their cache.
All this is happening in the background, using lots of intermediate caches each time (using caches is what makes the DNS system scalable to support billions of queries that can be solved more locally instead of querying each time the most critical DNS servers in the root domain or subdomains). Normally your ISP caches many replies and already knows most (if not all) DNS servers hosting each domain of the form "B.A.in-addr.arpa".
Your IPS also certainly caches most addresses used by SourceForge because it is a very frequently used site (so it does not need to really contact each time the DNS servers hosting the inverse resolution of IP addresses used by SourceForge: these DNS servers for such inverse IP resolution are normally run by the upstream large ISP hosting SourceForge's IP servervations, and this is normally a DNS server run by the IP registrar where SourceForge bought the reservation of its IP address block).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Note finally that you could avoid such "incorrect" guess of the hostname, if your local OS was configured to use a local DNS cache; You can enable this cache in your local DNS client: it will resolve locally the inverse resolution request if it can find a recent resolution request (i.e. the request that was necessarily used by GUP.exe when it attempted to resolve the name "notepadplusplus.sourceforge.net" into an IP address, before even trying to send the first IP request there (the IP that your firewall is now trying to identify).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Every time, when I start Notepad++, GUP.exe tries to access the webpage bom.sourceforge.net
If GUP.exe is a auto-updater of Notepad++, why it tries to access the pages of Biet-o-Matic ( http://bom.sourceforge.net ) ?
<a href="http://img235.imageshack.us/my.php?image=gupexepc2.jpg" target="_blank"><img src="http://img235.imageshack.us/img235/3820/gupexepc2.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a>
Ok, thanks for this.
> There are tens of thousands projects on SourceForge ...
... and coincidentally BOM and Notepad++ are the most used SF-project on my PC ;-)
> do you expect each project to be hosted on their own (expensive) server?
> Do you expect that SourceForge reserves tens of thousands IP, ... ?
No, I dont expect this. I would expect, that the Notepad++-Updater didnt Access an IP, but uses an subdomain to contact the server (like "notepad-plus.sourceforge.net").
Additionally, i would expect, that a DNS-Request for the SF-Server-IP didnt return a subdomain of one project, but returns the main domain (without project-specific subdomain).
But: No Problem, this isnt a really problem, and so everything is fine :)
PS/Edit: My screenshot isnt displayed correctly in my message above (due to its HTML).
Visit image on imageshack:
http://img235.imageshack.us/my.php?image=gupexepc2.jpg
This is the same shared server on SourceForce, that hosts several projects. Your local DNS cache has just remembered or found ONE of the hostnames associated to the IP.
All projects on SourceForge could map to the same IP, there's not one distinct IP assigned per project (SourceForge disseminates the various hosted projects on its servers, according to their relative load, some important and very active projects may use more hosts.
You should remember that there's NO dedicated server per SourceForge project), unless some project has paid SourceForge to reserve and manage dedicated servers for use only by themselves and no other unrelated project, so that they can guarantee a minimum supported workload for themselves.
There are tens of thousands projects on SourceForge, do you expect each project to be hosted on their own (expensive) server? Do you expect that SourceForge reserves tens of thousands IP, one for each project that is hosted without even paying anything to SourceForge? Really it would not work, or SourceForge would seriously mack money or would have to limit the number of hosted projects.
Try this:
ping bom.sourceforge.net
Compare with:
ping notepadplusplus.sourceforge.net
This is the same IP (the same host) that will reply for both projects...
Note tfinally that your local firewall does not know really which domain name you are trying to access when it detects the IP traffic, because it does not seem to monitor DNS resolution requests and replies. So when it sees an unknown traffic to some IP, it performs an inverse resolution of the IP address, using the DNS client on your local host that looks for the host name in the following order:
* First it looks for the hostname in your local C:\Windows\System32\drivers\etc\hosts file to see if there's a match (note that this file may be a security issue)
* If not found there, it then uses the local DNS client cache (to see if a recent DNS resolution has cached the resolution reply for the pseudo domain name "C.D.B.A.in-addr.arpa" where "D.C.D.A" is the IP address in dotted decimal format but reversed.
* If not found in the local cache, then it will contact your configured DNS server(s) to query the "C.D.B.A.in-addr.arpa" pseudo-domain name: this may be a DNS server on you LAN, or a DNS proxy integrated in your router, and if so, they will use their own local cache, or will query the upstream DNS server of your Internet provider.
* The DNS server of your provider will also use its own local cache, and if not found, it will proxy the resolution request to its upstream DNS servers or via the DNS root servers that will try to locate the registry hosting successively the following pseudo-domains, in that order, to locate the final DNS server containing the info:
(1) request the root DNS servers to look for the DNS servers for the domain ".arpa"
(2) query the DNS servers found to look for the DNS servers for the domain ".in-addr.arpa"
(3) query the DNS servers found to look for the DNS servers for the domain "A.in-addr.arpa"
(4) query the DNS servers found to look for the DNS servers for the domain "B.A.in-addr.arpa"
(5) query the DNS servers found to look for the DNS servers for the domain "C.B.A.in-addr.arpa"
(6) query the DNS servers found to look for the DNS servers for the host name of "D.C.B.A.in-addr.arpa"
There may be less queries performed each time, if one of these servers already have a reply for subdomains in their cache.
All this is happening in the background, using lots of intermediate caches each time (using caches is what makes the DNS system scalable to support billions of queries that can be solved more locally instead of querying each time the most critical DNS servers in the root domain or subdomains). Normally your ISP caches many replies and already knows most (if not all) DNS servers hosting each domain of the form "B.A.in-addr.arpa".
Your IPS also certainly caches most addresses used by SourceForge because it is a very frequently used site (so it does not need to really contact each time the DNS servers hosting the inverse resolution of IP addresses used by SourceForge: these DNS servers for such inverse IP resolution are normally run by the upstream large ISP hosting SourceForge's IP servervations, and this is normally a DNS server run by the IP registrar where SourceForge bought the reservation of its IP address block).
Note finally that you could avoid such "incorrect" guess of the hostname, if your local OS was configured to use a local DNS cache; You can enable this cache in your local DNS client: it will resolve locally the inverse resolution request if it can find a recent resolution request (i.e. the request that was necessarily used by GUP.exe when it attempted to resolve the name "notepadplusplus.sourceforge.net" into an IP address, before even trying to send the first IP request there (the IP that your firewall is now trying to identify).