| 1 |
Am 09.02.2013 20:58, schrieb Alan McKinnon: |
| 2 |
> On 09/02/2013 20:22, Florian Philipp wrote: |
| 3 |
>> Hi list! |
| 4 |
>> |
| 5 |
>> I have an issue with SSH. It's a variation of the old "Set 'UseDNS no' |
| 6 |
>> to avoid delays with faulty DNS records" theme. |
| 7 |
>> |
| 8 |
>> Following setup: |
| 9 |
>> 1. I have a server with IPv6 compiled into the SSH daemon but no actual |
| 10 |
>> IPv6 network interface. |
| 11 |
>> |
| 12 |
>> 2. The SSH client has no IPv6, neither compiled nor active. |
| 13 |
>> |
| 14 |
>> 3. The DNS server doesn't serve or support AAAA records. Apparently it |
| 15 |
>> drops all such requests. All other records for IP and reverse lookup are |
| 16 |
>> correct. |
| 17 |
>> |
| 18 |
>> Now I'm experiencing the classic, very long delay when connecting to the |
| 19 |
>> server via SSH because it does DNS lookups. When I look at wireshark |
| 20 |
>> dumps, I see correctly served A and reverse lookups but the server also |
| 21 |
>> insists on doing AAAA requests which time out. |
| 22 |
> |
| 23 |
> When you say "the server also insists on doing AAAA requests" you mean |
| 24 |
> the SSH server, right? |
| 25 |
> |
| 26 |
>> |
| 27 |
>> I tried limiting the sshd "AddressFamily" to inet (aka IPv4) but this |
| 28 |
>> didn't change anything. Is there another workaround or do I really have |
| 29 |
>> to deactivate DNS lookups? |
| 30 |
> |
| 31 |
> Is the server Gentoo and do you really need IPv6 support on it? Did you |
| 32 |
> consider rebuilding that host with IPv6 disabled in USE? |
| 33 |
> |
| 34 |
> IPv6 coexisting with IPv4 is always going to be a tricky problem, and |
| 35 |
> the recommended defaults you run into all over are usually intended to |
| 36 |
> force people to hurry IPv6 implementation along :-) |
| 37 |
> |
| 38 |
> There's always a way to change defaults, and I found this: |
| 39 |
> |
| 40 |
> http://askubuntu.com/questions/32298/prefer-a-ipv4-dns-lookups-before-aaaaipv6-lookups |
| 41 |
> |
| 42 |
> The magic file you need to edit appears to be |
| 43 |
> |
| 44 |
> /etc/gai.conf |
| 45 |
> |
| 46 |
|
| 47 |
Okay, I fixed my issue: An intermediate DNS server was misconfigured and |
| 48 |
recursed on queries for which it is authoritative. Now AAAA queries are |
| 49 |
properly answered. |
| 50 |
|
| 51 |
Regards, |
| 52 |
Florian Philipp |
Archives