Salty chat dont Connect to the server

[Gonzo128]

Hello Dear Saltymine Admin Team í am a supporter of a German FiveM RP-server. in the last few days we had a lot of problems with players who couldn't connect to the in-game channel. Unfortunately, the common bug fixes didn't help much. switch the DNS server, or do reinstall Salty and Teamspeak. we are unfortunately a bit perplexed because we had a total of 3 players only today with which it did not work. Greatings Gonzooo

[systemNEO]

Hey Gonzooo,

frag Deine Spieler mal ob sie kurz zuvor ein Update ihrer FritzBox gemacht haben, da wird gerade eine neue Version ausgerollt. Wenn ja, ab Version 7.20 gibt es ein neues Feature namens DNS-Rebind-Schutz. lh.saltmine.de wird normalerweise zu 127.0.0.1 aufgelöst, was der DNS-Rebind-Schutz verhindert (eigtl. aus gutem Grund). Aber für lh.saltmine.de wollen wir den Schutz durch die Fritzbox nicht, also fügen wir eine Ausnahme in der Fritzbox unter Heimnetz - Netzwerk - Tab Netzwerkeinstellungen - Absatz DNS-Rebind-Schutz im Feld Hostnamen-Ausnahmen: mit dem Wert lh.saltmine.de hinzu und speichern das ab. Danach sollte es wieder funktionieren.

Grüße

[D0mm4S]

Hey Gonzooo,

frag Deine Spieler mal ob sie kurz zuvor ein Update ihrer FritzBox gemacht haben, da wird gerade eine neue Version ausgerollt. Wenn ja, ab Version 7.20 gibt es ein neues Feature namens DNS-Rebind-Schutz. lh.saltmine.de wird normalerweise zu 127.0.0.1 aufgelöst, was der DNS-Rebind-Schutz verhindert (eigtl. aus gutem Grund). Aber für lh.saltmine.de wollen wir den Schutz durch die Fritzbox nicht, also fügen wir eine Ausnahme in der Fritzbox unter Heimnetz - Netzwerk - Tab Netzwerkeinstellungen - Absatz DNS-Rebind-Schutz im Feld Hostnamen-Ausnahmen: mit dem Wert lh.saltmine.de hinzu und speichern das ab. Danach sollte es wieder funktionieren.

Grüße

I am glad that I checked the issues here. This was the solution to me not getting moved in TeamSpeak.

[etkaar]

You will now need both lines in your C:\Windows\System32\drivers\etc\hosts:

127.0.0.1   lh.saltmine.de
127.0.0.1   lh.v10.network

After that, flush your local DNS:

ipconfig /flushdns

[tutoy83]

Hello, Thank you for your information! I have a similar problem. I'm moved in the good channel but after 1 or 2 hours or when I am passenger of a veh that is going very fast... I get kicked back in the welcome channel... I wait 5minutes and pooof... back in the good channel. Could you explain me this phenomenon and how to solve it ?

I don't understand should we add the two lines in the file C:\Windows\System32\drivers\etc\hosts or check de DNS rebinding protection in the router ?

[etkaar]

Only add these two lines into the file. There are no changes in the router settings required.

[tutoy83]

Thank you. Can you explain me exactly what these two lines do exactly ?

[tutoy83]

I like IT and networks and I would like to understand exactly what’s the point with the packets and what if we don’t put it.

[etkaar]

SaltyChat uses a local websocket: https://github.com/v10networkscom/saltychat-fivem/blob/db184ab1b3d29456598dfb7403f4115c586c9c65/saltychat/SaltyClient/VoiceManager.cs#L41

This websocket once had the hostname lh.saltmine.de and a while ago it changed to lh.v10.network. Therefore, I used both lines for backwards compatibility. The socket is private (local), while the hostname is public.

In order to find out which IP address is associated with this hostname (so-called A record), one needs to query the autoritative nameserver or a public nameserver:

root@remote-test:~# dig -t A lh.v10.network @8.8.8.8

; <<>> DiG 9.16.27-Debian <<>> -t A lh.v10.network @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54580
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;lh.v10.network.                        IN      A

;; ANSWER SECTION:
lh.v10.network.         20391   IN      A       127.0.0.1

;; Query time: 4 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 10 12:06:00 CEST 2022
;; MSG SIZE  rcvd: 59

As you can see from the response, the A record for lh.v10.network is 127.0.0.1. But this is not a public routable space, it is an IP address of the local 127.0.0.0/8 loopback network. Nonetheless – so far this is expected, because the websocket is locally used.

The problem with that is, that public nameservers – nowadays due to security reasons – shall not respond to DNS queries with IP addresses from private networks, because that can allow an attacker to gain access to information from a local network by switching the IP address from a local to a public address. If they follow this rule and don't respond, Salty Chat simply does not work without manually adding the two lines into C:\Windows\System32\drivers\etc\hosts.

Thus, from the technical aspect it is not wrong what Salty Chat does, is not a programming mistake. But still Salty Chat relies on a technique which is discouraged due to security concerns. I would therefore recommend @BlackFlash5 to review if it does not make sense to simply replace the hostname with the IPv4 address 127.0.0.1.

[tutoy83]

Thank you very much for your interesting details ! There is no reason to change the DNS servers to Google/Cloudflare then ?

[etkaar]

Absolutely correct. Using these lines, you don't have to change your DNS server (neither in the router nor in Windows), you can use what you want. You can have a look at Quad9 as an alternative to Googles Public DNS.

[tutoy83]

I read on internet that « CFX team implemented a NUI blacklist and blocked local (127.0.0.1 and localhost) WebSocket connections ». True?

[etkaar]

I can't tell the reason for that unfortunately.

[tutoy83]

Hello, I tried to add the two lines but the problem is still here. We are moved in the good channel but after 1 or 2 hours or when I am passenger of a veh that is going very fast... I get kicked back in the welcome channel... I wait 5minutes and pooof... back in the good channel.

70% of players on the server have the problem … hard to understand.

[tutoy83]

Do you have an idea @etkaar ? :-)

[etkaar]

Unfortunately not. It seems also to be not related to this issue.