sshd tries reverse DNS lookups with UseDNS no

Question

sshd seems to almost always try to perform a reverse DNS lookup on new connections. For hosts without a PTR entry this causes delays of 5 seconds per query. Sometimes it accepts the connection immediately, sometimes it tries to resolve once, sometimes twice. I observed this using tcpdump port 53 while trying to connect to the server. I have really no idea why it tries to lookup twice sometimes.

This seems to be a fairly frequent issue and the standard response is UseDNS no in /etc/ssh/sshd_config. However, I already have this option set and sshd is still trying to perform these reverse lookups.

I found another suggestion here. I tried to add -u0 to /etc/default/ssh, but it doesn't seem to have changed anything.

I'm out of ideas at this point, any suggestion will be welcome.

Try upping the sshd LogLevel to VERBOSE or DEBUG to see what's going on? — hcsteve, Feb 17 '14 at 23:14
I intend to try that sometime at night when there are fewer connections from people... — koniiiik, Feb 18 '14 at 07:38
If OpenSSH is built with tcpwrapper support, that can also cause reverse lookups for the client address depending on the tcpwrapper policy (/etc/hosts.{allow,deny} etc.). — Richard E. Silverman, Mar 01 '14 at 07:04
Can you post your sshd_config? Testing with FreeBSD 9.1 and 9.2 indicates that with UseDNS set to no, and no other configuration item set that might cause a DNS lookup, no lookups occur. — Kevin Phair, Feb 25 '14 at 10:32

score 10 · Answer 1 · edited Nov 02 '17 at 20:08

10

Nowadays the most frequent culprit is GSSAPI:

/etc/ssh/sshd_config:
GSSAPIAuthentication no

The other three culprits for Linux platform have been mentioned in other answer:

add to sshd a command line option -u0
set UseDNS no
don't use from=hostname inside authorized_keys files

edited Nov 02 '17 at 20:08

Alex

523
1
4
14

answered Apr 02 '15 at 14:15

kubanczyk

13,812
5
41
55

score 5 · Answer 2 · answered Feb 17 '14 at 23:59

5

Use DNS = no does not prevent sshd from performing DNS lookups, it prevents it from rejecting clients when PTR records don't match.

-u0 prevents sshd from logging DNS names in the utmp struct.

lookups might still happen depending one what a user has in their authorized_keys.

See this for a decent explanation:

http://lists.freebsd.org/pipermail/freebsd-stable/2006-November/030886.html

answered Feb 17 '14 at 23:59

quadruplebucky

5,139
20
23

To be honest, I haven't even heard about there being a possibility to specify from=hostname in authorized_keys, so at least in the case of myself trying to log in, this is not in effect. Also, the lookup-induced lag happens *before* sshd logs the line Connection from port in syslog, which presumably means, before it learns what user is trying to log in. – koniiiik Feb 18 '14 at 07:36

score 1 · Answer 3 · answered Jun 05 '16 at 22:19

1

Modify those in /etc/ssh/sshd_config Port 22, UseDNS yes, UsePAM no, UseLogin no,

And make: service sshd restart

answered Jun 05 '16 at 22:19

Ernesto Mila

11
1

score 0 · Accepted Answer · answered Jan 20 '15 at 20:23

0

Well, it's been a while, but it turned out that the lag disappeared the next time we rebooted the server. I have no idea what happened, but it must have been one of the things I tried and apparently just restarting sshd wasn't enough.

answered Jan 20 '15 at 20:23

koniiiik

191
1
1
5

score 0 · Answer 5 · answered Nov 02 '17 at 16:49

0

In my case the issue was entries in the hosts.allow and/or hosts.deny files that caused it to do dns lookups. According to the documentation the same can happen for Allow and Deny directives in the config files.

answered Nov 02 '17 at 16:49

PlasmaHH

401
3
6

score -2 · Answer 6 · answered Feb 09 '16 at 13:18

-2

Also disable GSS auth can help with this issue.

answered Feb 09 '16 at 13:18

Nefer

1

1

This answer has already been given earlier. – Gerald Schneider Feb 09 '16 at 13:35

sshd tries reverse DNS lookups with UseDNS no

6 Answers6