* [gentoo-user] SSH UseDNS without IPv6?
@ 2013-02-09 18:22 Florian Philipp
2013-02-09 19:58 ` Alan McKinnon
0 siblings, 1 reply; 3+ messages in thread
From: Florian Philipp @ 2013-02-09 18:22 UTC (permalink / raw
To: Gentoo User List
[-- Attachment #1: Type: text/plain, Size: 954 bytes --]
Hi list!
I have an issue with SSH. It's a variation of the old "Set 'UseDNS no'
to avoid delays with faulty DNS records" theme.
Following setup:
1. I have a server with IPv6 compiled into the SSH daemon but no actual
IPv6 network interface.
2. The SSH client has no IPv6, neither compiled nor active.
3. The DNS server doesn't serve or support AAAA records. Apparently it
drops all such requests. All other records for IP and reverse lookup are
correct.
Now I'm experiencing the classic, very long delay when connecting to the
server via SSH because it does DNS lookups. When I look at wireshark
dumps, I see correctly served A and reverse lookups but the server also
insists on doing AAAA requests which time out.
I tried limiting the sshd "AddressFamily" to inet (aka IPv4) but this
didn't change anything. Is there another workaround or do I really have
to deactivate DNS lookups?
Thanks in advance!
Florian Philipp
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 263 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] SSH UseDNS without IPv6?
2013-02-09 18:22 [gentoo-user] SSH UseDNS without IPv6? Florian Philipp
@ 2013-02-09 19:58 ` Alan McKinnon
2013-02-10 11:56 ` Florian Philipp
0 siblings, 1 reply; 3+ messages in thread
From: Alan McKinnon @ 2013-02-09 19:58 UTC (permalink / raw
To: gentoo-user
On 09/02/2013 20:22, Florian Philipp wrote:
> Hi list!
>
> I have an issue with SSH. It's a variation of the old "Set 'UseDNS no'
> to avoid delays with faulty DNS records" theme.
>
> Following setup:
> 1. I have a server with IPv6 compiled into the SSH daemon but no actual
> IPv6 network interface.
>
> 2. The SSH client has no IPv6, neither compiled nor active.
>
> 3. The DNS server doesn't serve or support AAAA records. Apparently it
> drops all such requests. All other records for IP and reverse lookup are
> correct.
>
> Now I'm experiencing the classic, very long delay when connecting to the
> server via SSH because it does DNS lookups. When I look at wireshark
> dumps, I see correctly served A and reverse lookups but the server also
> insists on doing AAAA requests which time out.
When you say "the server also insists on doing AAAA requests" you mean
the SSH server, right?
>
> I tried limiting the sshd "AddressFamily" to inet (aka IPv4) but this
> didn't change anything. Is there another workaround or do I really have
> to deactivate DNS lookups?
Is the server Gentoo and do you really need IPv6 support on it? Did you
consider rebuilding that host with IPv6 disabled in USE?
IPv6 coexisting with IPv4 is always going to be a tricky problem, and
the recommended defaults you run into all over are usually intended to
force people to hurry IPv6 implementation along :-)
There's always a way to change defaults, and I found this:
http://askubuntu.com/questions/32298/prefer-a-ipv4-dns-lookups-before-aaaaipv6-lookups
The magic file you need to edit appears to be
/etc/gai.conf
--
Alan McKinnon
alan.mckinnon@gmail.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] SSH UseDNS without IPv6?
2013-02-09 19:58 ` Alan McKinnon
@ 2013-02-10 11:56 ` Florian Philipp
0 siblings, 0 replies; 3+ messages in thread
From: Florian Philipp @ 2013-02-10 11:56 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1959 bytes --]
Am 09.02.2013 20:58, schrieb Alan McKinnon:
> On 09/02/2013 20:22, Florian Philipp wrote:
>> Hi list!
>>
>> I have an issue with SSH. It's a variation of the old "Set 'UseDNS no'
>> to avoid delays with faulty DNS records" theme.
>>
>> Following setup:
>> 1. I have a server with IPv6 compiled into the SSH daemon but no actual
>> IPv6 network interface.
>>
>> 2. The SSH client has no IPv6, neither compiled nor active.
>>
>> 3. The DNS server doesn't serve or support AAAA records. Apparently it
>> drops all such requests. All other records for IP and reverse lookup are
>> correct.
>>
>> Now I'm experiencing the classic, very long delay when connecting to the
>> server via SSH because it does DNS lookups. When I look at wireshark
>> dumps, I see correctly served A and reverse lookups but the server also
>> insists on doing AAAA requests which time out.
>
> When you say "the server also insists on doing AAAA requests" you mean
> the SSH server, right?
>
>>
>> I tried limiting the sshd "AddressFamily" to inet (aka IPv4) but this
>> didn't change anything. Is there another workaround or do I really have
>> to deactivate DNS lookups?
>
> Is the server Gentoo and do you really need IPv6 support on it? Did you
> consider rebuilding that host with IPv6 disabled in USE?
>
> IPv6 coexisting with IPv4 is always going to be a tricky problem, and
> the recommended defaults you run into all over are usually intended to
> force people to hurry IPv6 implementation along :-)
>
> There's always a way to change defaults, and I found this:
>
> http://askubuntu.com/questions/32298/prefer-a-ipv4-dns-lookups-before-aaaaipv6-lookups
>
> The magic file you need to edit appears to be
>
> /etc/gai.conf
>
Okay, I fixed my issue: An intermediate DNS server was misconfigured and
recursed on queries for which it is authoritative. Now AAAA queries are
properly answered.
Regards,
Florian Philipp
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 263 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-02-10 11:56 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-09 18:22 [gentoo-user] SSH UseDNS without IPv6? Florian Philipp
2013-02-09 19:58 ` Alan McKinnon
2013-02-10 11:56 ` Florian Philipp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox