[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh connection takes long time

Chris Davies wrote:
Boyd Stephen Smith Jr. wrote:
All systems should have an rDNS record to map the number back to a
name. Ideally, that canonical name should also have a mapping back to
the number.

In the case of dynamic IP ranges, the rDNS record might map back to an
entry that mimicks the IP address itself, but tagged on to the end of
that is the organisation responsible for that IP address. For example, might map to 13-12-11-10.dynamic.someisp.net, and it's
easy to see that "someisp.net" is in some way responsible for that IP
address. (I know you can determine IP address ranges via ARIN/RIPE/APNIC,
etc. but that is /much/ more heavyweight.)

If you don't have any rDNS entry at all, OpenSSH (amongst other subsystems
and applications) will hang until the resolver times out.

IMO the solution is not to tweak those subsystems and applications,
but to get a valid rDNS record added to the DNS.

agreed in principle, but since ssh is the only one (in my experience) that i ever encountered this inconvenience with, i wonder if the correct thing to do holds up in everyday usage.

besides how would you do this with a dynamic IP, we are talking clients here and you never know what ISP you might use when traveling around.

Your client is irrelevant in this scenario. The ISP should provide rDNS
entries that map its own address space.
agree again, providing that the "ISP should" and does, it once took me 2 weeks to teach my provider of my 10 Mbit fiber connection how it should be configured after digging in to the manuals myself, assuming you would be a road warrior running in such an ISP the experience can turn in to a female K9.

once i was unable to connect at all due to the time out, admittedly this was an extreme scenario in inland China trying to connect to Europe, if it was the fault of the local ISP or simply my lack of knowledge of the local dialect I'm still not sure ;)

also i see very little function to this, besides some extra unneeded info in the log i don't see any added security in this feature.

Added secuity? Probably not a lot in this case. Convenience when trying
to work out who's thumping your box again? Possibly.

this shows the owner/responsible of my IP and it took me about 10 seconds to find.

The theoretical principle does sound feasible to me, but its the practical implementation and the problems/inconvenience that can occur now and then that makes me wonder if a reconsideration would be useful. my mail server myself does remote dns look up, but i wonder if its the only mail server that actually does.

my opinion in this case is of course biased by my specific usage and experience, therefore the question if there are scenario's where it does make a lot more sense.




Just another collection of nuts

Reply to: