UseDNS resolution and OpenSSH

Ever wondered why sometimes it takes an awful lot of time for the password prompt to show up when trying to SSH into a system running OpenSSH on the local network? I have. And I have always suspected it must have something to do with DNS resolution.

It turns out there is a setting in OpenSSH that controls whether SSHd should not only resolve remote host names but also check whether the resolved host names map back to remote IPs. Apparently, that setting is enabled by default in OpenSSH. The directive UseDNS controls this particular behaviour of OpenSSH, and while it is commented in sshd_config (which is the default configuration file for the OpenSSH daemon in most enviornments), as per the man page for sshd_config, the default for UseDNS is set to enabled. Uncommenting the line carrying the UseDNS directive and setting it to “no” disables the feature.

6 thoughts on “UseDNS resolution and OpenSSH

  1. This is a three-minute delay that is the time it takes for DNS to timeout. This three-minute delay shows up all over the place:

    Cisco IOS
    Squid cache
    Postfix / Sendmail
    FTP servers
    PPP clients

    So keep a sharp lookout for DNS failures.

  2. In case of OpenSSH, the DNS resolution feature is merely a small overhead to check whether the resolved IP maps back to the same hostname. In this case, it takes nearly from 30 seconds to 60 seconds to timeout. Also, I tend to keep the LoginGraceTime set to one minute or less on OpenSSH, and that tends to create problems at times.

  3. Pingback: Configuring a Linux Server – Part 1: Sudoer user and SSH | yorch @ web [in]

  4. Pingback: OpenSSH slow logins and DNS « sinewalker

  5. I have strange problem with openssh on my Debian Lenny system. It stops to work after some time making me unable to connect to remote machine. When I nmap it in those situations I get tcpwrapped for ssh port. I think it is somehow connected with reverse DNS resolving. When I try to connect via ssh with -vv options I get chek_ident -1 . This is very annoying problem as I need to pay guy to go to servers and reboot them… DO you have any idea why is this happening ?

  6. Pingback: Why does the “password” prompt take forever when I SSH into my Ubuntu 9.05 server?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s