Ubuntu

SSH DNS resolution order

Asked by Alex

Hi,

I'm not sure if this is a bug and if it is one I'm not sure to which package it belongs.

The DNS resultion order of an SSH connection has a quite bad performance at the moment. When I enable the log-queries option of dnsmasq I see these entries showing up when I open a SSH connection to a host (mysshhost) in the same domain (mydomain.tld):

So when I execute:
ssh mysshhost

I get these log entries:
Jan 16 15:34:09 workstation1 dnsmasq[13845]: query[AAAA] mysshhost.mydomain.tld from 127.0.0.1
Jan 16 15:34:09 workstation1 dnsmasq[13845]: forwarded mysshhost.mydomain.tld to 192.168.1.3
Jan 16 15:34:09 workstation1 dnsmasq[13845]: reply mysshhost.mydomain.tld is NODATA-IPv6
Jan 16 15:34:09 workstation1 dnsmasq[13845]: query[AAAA] mysshhost from 127.0.0.1
Jan 16 15:34:09 workstation1 dnsmasq[13845]: forwarded mysshhost to 192.168.1.3
Jan 16 15:34:09 workstation1 dnsmasq[13845]: forwarded mysshhost to 192.168.1.2
Jan 16 15:34:09 workstation1 dnsmasq[13845]: forwarded mysshhost to 192.168.1.3
Jan 16 15:34:18 workstation1 dnsmasq[13845]: query[AAAA] mysshhost from 127.0.0.1
Jan 16 15:34:18 workstation1 dnsmasq[13845]: forwarded mysshhost to 192.168.1.3
Jan 16 15:34:18 workstation1 dnsmasq[13845]: forwarded mysshhost to 192.168.1.2
Jan 16 15:34:27 workstation1 dnsmasq[13845]: query[A] mysshhost.mydomain.tld from 127.0.0.1
Jan 16 15:34:27 workstation1 dnsmasq[13845]: forwarded mysshhost.mydomain.tld to 192.168.1.3
Jan 16 15:34:27 workstation1 dnsmasq[13845]: forwarded mysshhost.mydomain.tld to 192.168.1.2
Jan 16 15:34:27 workstation1 dnsmasq[13845]: reply mysshhost.mydomain.tld is 192.168.9.134

As you can see, the first query is a query for an AAAA record for mysshhost.mydomain.tld. This isn't a problem, because I get a NODATA-IPv6 reply instantly. Now comes the problem. Instead of doing a lookup for an A record on the same domain, a AAAA lookup for the plain hostname (without the domain appended) is executed. Since this isn't a valid domain name, the DNS server doesn't reply but times out twice. This takes ages.

In my opinion it would make more sense to lookup the IP address in this order:
AAAA record for mysshhost.mydomain.tld
A record for mysshhost.mydomain.tld
AAAA record for mysshhost
A record for mysshhost

I already have two workarounds for my .ssh/config file:

The first one is to disable IPv6:
AddressFamily inet

The other one is to specify the full hostname for mysshhost:
Host mysshhost
    HostName mysshhost.mydomain.tld
    User myuser

I'm looking forward to your input :)

Cheers,
Alex

-- Update: --

I also got a lot of unanswered PTR queries in the logs:
query[PTR] 134.9.168.192.in-addr.arpa from 127.0.0.1

To fix this I have to use this option:
GSSAPIAuthentication no

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Thomas Krüger
Solved:
Last query:
Last reply:
Revision history for this message
Thomas Krüger (thkrueger) said : 		#1

The thing is simple: If you set a FQDN, it was to be valid in the network you use it.
In your case I recommend to configure a DNS zone in the DNS server (if you have on locally) or your the domain "local". If should be handled correctly by the DNS server.

Revision history for this message
Alex (alexander-stehlik) said : 		#2

Hi Thomas,

thanks for your reply.

I'm not quite sure, what you mean. In my /etc/resolv.conf there is a search entry:

search mydomain.tld

So I would expect the ssh client (or any other client) to append this domain to all DNS requests that do not contain a fully qualified domain name. Or do I misunderstand the concept?

Cheers,
Alex

Revision history for this message
Jeet (gour-jitendrasingh) said : 		#3

try this

ssh user@hostname

if still no help ... try to ping hostname and get ip :)

and try again

if no help yet

try user@fullnamehost (eg : myhost.mydom.com ) and you can use port too if you know using -p

Revision history for this message
Thomas Krüger (thkrueger) said : 		#4

The search domain will cause the effect. Please remove it from the resolv.conf for testing and if that works from the actual configuration in NetworkManager or whereever you configured it.
If you want to use the search domain, it has to point to a valid domain name.

Revision history for this message
Alex (alexander-stehlik) said : 		#5

The search domain is pointing to a valid domain name. This is not the problem. My problem is the performance of the order of the resolution (see my original question).

This is the current order of the resultion:

AAAA record for mysshhost.mydomain.tld
AAAA record for mysshhost (<- this takes really, really long!)
A record for mysshhost.mydomain.tld
A record for mysshhost

In my opinion it would make more sense to use this order:

AAAA record for mysshhost.mydomain.tld
A record for mysshhost.mydomain.tld
AAAA record for mysshhost
A record for mysshhost

My question is: is this behaviour intended or is it a bug? And if it is a bug, to wich package does it belong?

Revision history for this message
Best Thomas Krüger (thkrueger) said : 		#6

This behaviour is intended. IPv6 has priority over IPv4, then the FQDN over the hostname. In your example the FQDN has first priority over IPv6.

Your options:
* configure the DNS propertly to resolve the AAAA without domain or return error
* use the FQDN
* add the IPv4 and IPv6 addresses to /etc/hosts
* use the AddressFamily setting
* use the -4 parameter

Sorry, but the problem is not caused by a bug or something similar, but by your DNS that does not support IPv6 properly.

Revision history for this message
Alex (alexander-stehlik) said : 		#7

OK, thank you Thomas. Sounds logical :)

My DNS is returning an error for the fully qualified domain name, but not for the hostname. But this would be a new question.

Revision history for this message
Alex (alexander-stehlik) said : 		#8

Thanks Thomas Krüger, that solved my question.