Bug#527969: openssh-server: The ssh -D SOCKS proxy does not cope with some odd DNS responses
Package: openssh-server
Version: 1:5.1p1-5+b1
Severity: normal
Hi,
There seems to be a problem in the ssh -D SOCKS proxy which is triggered by some
eccentricity in login.facebook.com's DNS entry.
Below are three illustrations of how that DNS entry is behaving, taken from
different places on the net. In each case a DNS query gives one valid A
record response before triggering an error condition. I don't know what it is
about facebook's DNS servers that is causing this.
A regular web browser will cope with the error condition and connect to the IP
address in question. A web browser talking SOCKS over ssh -D will fail to
connect to the IP address.
host login.facebook.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:
--------------------
login.facebook.com has address 69.63.180.173
;; connection timed out; no servers could be reached
host login.facebook.com 192.168.1.1
Using domain server:
Name: 192.168.1.1
Address: 192.168.1.1#53
Aliases:
login.facebook.com has address 69.63.176.138
Host login.facebook.com not found: 2(SERVFAIL)
--------------------
host login.facebook.com 64.127.100.11
Using domain server:
Name: 64.127.100.11
Address: 64.127.100.11#53
Aliases:
login.facebook.com has address 69.63.180.174
;; connection timed out; no servers could be reached
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.28-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-server depends on:
ii add 3.110 add and remove users and groups
ii deb 1.5.19 Debian configuration management sy
ii dpk 1.14.26 Debian package management system
ii lib 2.9-4 GNU C Library: Shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii lib 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - k
ii lib 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries - C
ii lib 1.6.dfsg.4~beta1-13 MIT Kerberos runtime libraries
ii lib 0.79-5 Pluggable Authentication Modules f
ii lib 0.79-5 Runtime support for the PAM librar
ii lib 0.99.7.1-5 Pluggable Authentication Modules l
ii lib 2.0.59-1 SELinux shared libraries
ii lib 0.9.8g-16 SSL shared libraries
ii lib 7.6.dbs-13 Wietse Venema's TCP wrappers libra
ii lsb 3.2-22 Linux Standard Base 3.2 init scrip
ii ope 0.1.0 list of blacklisted OpenSSH RSA an
ii ope 1:5.1p1-5+b1 secure shell client, an rlogin/rsh
ii pro 1:3.2.7-3 /proc file system utilities
ii zli 1:1.2.3.3.dfsg-13 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.2-2 X authentication utility
-- debconf-show failed
--
Peter Eckersley pde@eff.org
Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
Reply to: