Discussion:
Inhibiting reverse DNS lookups by the SSH server
(too old to reply)
Jeremy Begg
2008-09-11 02:29:21 UTC
Permalink
Hi,

Process Software MultiNet V5.2 Rev A-X, HP rx2660 (1.59GHz/9.0MB),
OpenVMS I64 V8.3-1H1

One of the users who works from home has reported that he's seeing long
delays in logging in via SSH. We both suspected a DNS issue and it seems
this is the case. Attempts to do a reverse lookup on his IP address yield
the result "Server failed". I've also tried this from a non-MultiNet system
at another site with a different ISP and got a similar result.

So I'd like to see if we can prevent the reverse lookup.

a) is it possible to configure SSH to not attempt a reverse DNS lookup on
the source IP address?

b) is there any reason why disabling the reverse DNS lookup would be a bad
idea, particularly if we're not interested in doing access control based
on the source of the SSH connection?

I suppose an alternative approach would be to add a master zone to MultiNet's
NAMED.CONF file specifically for his IP address.

Regards,

Jeremy Begg

+---------------------------------------------------------+
| VSM Software Services Pty. Ltd. |
| http://www.vsm.com.au/ |
| "OpenVMS Systems Management & Programming" |
|---------------------------------------------------------|
| P.O.Box 402, Walkerville, | E-Mail: ***@vsm.com.au |
| South Australia 5081 | Phone: +61 8 8221 5188 |
|---------------------------| Mobile: 0414 422 947 |
| A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
+---------------------------------------------------------+
Richard Whalen
2008-09-11 13:00:16 UTC
Permalink
Add the following to SSH2_DIR:SSHD2_CONFIG.

ResolveClientHostName False

-----Original Message-----
From: Jeremy Begg [mailto:***@vsm.com.au]
Sent: Wednesday, September 10, 2008 10:29 PM
To: info-***@process.com
Subject: Inhibiting reverse DNS lookups by the SSH server

Hi,

Process Software MultiNet V5.2 Rev A-X, HP rx2660 (1.59GHz/9.0MB),
OpenVMS I64 V8.3-1H1

One of the users who works from home has reported that he's seeing long
delays in logging in via SSH. We both suspected a DNS issue and it
seems
this is the case. Attempts to do a reverse lookup on his IP address
yield
the result "Server failed". I've also tried this from a non-MultiNet
system
at another site with a different ISP and got a similar result.

So I'd like to see if we can prevent the reverse lookup.

a) is it possible to configure SSH to not attempt a reverse DNS lookup
on
the source IP address?

b) is there any reason why disabling the reverse DNS lookup would be a
bad
idea, particularly if we're not interested in doing access control
based
on the source of the SSH connection?

I suppose an alternative approach would be to add a master zone to
MultiNet's
NAMED.CONF file specifically for his IP address.

Regards,

Jeremy Begg

+---------------------------------------------------------+
| VSM Software Services Pty. Ltd. |
| http://www.vsm.com.au/ |
| "OpenVMS Systems Management & Programming" |
|---------------------------------------------------------|
| P.O.Box 402, Walkerville, | E-Mail: ***@vsm.com.au |
| South Australia 5081 | Phone: +61 8 8221 5188 |
|---------------------------| Mobile: 0414 422 947 |
| A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
+---------------------------------------------------------+

Loading...