Re: ssh connection takes long time
Chris Davies wrote:
Boyd Stephen Smith Jr. wrote:
All systems should have an rDNS record to map the number back to a
name. Ideally, that canonical name should also have a mapping back to
In the case of dynamic IP ranges, the rDNS record might map back to an
entry that mimicks the IP address itself, but tagged on to the end of
that is the organisation responsible for that IP address. For example,
10.11.12.13 might map to 13-12-11-10.dynamic.someisp.net, and it's
easy to see that "someisp.net" is in some way responsible for that IP
address. (I know you can determine IP address ranges via ARIN/RIPE/APNIC,
etc. but that is /much/ more heavyweight.)
If you don't have any rDNS entry at all, OpenSSH (amongst other subsystems
and applications) will hang until the resolver times out.
IMO the solution is not to tweak those subsystems and applications,
but to get a valid rDNS record added to the DNS.
agreed in principle, but since ssh is the only one (in my experience)
that i ever encountered this inconvenience with, i wonder if the correct
thing to do holds up in everyday usage.
agree again, providing that the "ISP should" and does, it once took me 2
weeks to teach my provider of my 10 Mbit fiber connection how it should
be configured after digging in to the manuals myself, assuming you would
be a road warrior running in such an ISP the experience can turn in to a
besides how would you do this with a dynamic IP, we are talking clients
here and you never know what ISP you might use when traveling around.
Your client is irrelevant in this scenario. The ISP should provide rDNS
entries that map its own address space.
once i was unable to connect at all due to the time out, admittedly this
was an extreme scenario in inland China trying to connect to Europe, if
it was the fault of the local ISP or simply my lack of knowledge of the
local dialect I'm still not sure ;)
also i see very little function to this, besides some extra unneeded
info in the log i don't see any added security in this feature.
Added secuity? Probably not a lot in this case. Convenience when trying
to work out who's thumping your box again? Possibly.
this shows the owner/responsible of my IP and it took me about 10
seconds to find.
The theoretical principle does sound feasible to me, but its the
practical implementation and the problems/inconvenience that can occur
now and then that makes me wonder if a reconsideration would be useful.
my mail server myself does remote dns look up, but i wonder if its the
only mail server that actually does.
my opinion in this case is of course biased by my specific usage and
experience, therefore the question if there are scenario's where it
does make a lot more sense.
Just another collection of nuts