# Can I disable the use of DNS of SSH login?



## cyberman (May 20, 2009)

We I login into a FreeBSD server in my LAN through SSH, the server will issue DNS query at two point:
1. After I've typed the username.
2. After login accepted.

The first one can be controlled using 'UseDNS' in /etc/ssh/sshd_config, but where doesn't the second one come from and how can I disable it?


----------



## DutchDaemon (May 20, 2009)

Not sure if SSH is responsible for the second one, it could be pam, syslog, utmp, maybe? Anything that records the login and logs/files it, I guess.


----------



## s-tlk (May 20, 2009)

Have you tried ssh -v and looked where it exactly stopped? This verbose flag often reveals a lot of usefull information about ssh problems.


----------



## anomie (May 20, 2009)

cyberman said:
			
		

> We I login into a FreeBSD server in my LAN through SSH, the server will issue DNS query at two point:
> 1. After I've typed the username.
> 2. After login accepted.
> 
> The first one can be controlled using 'UseDNS' in /etc/ssh/sshd_config, but where doesn't the second one come from and how can I disable it?



I think query #2 probably is PAM, as suggested earlier. 

Here is some tcpdump chatter (on the server side) while I logged in via ssh to a FreeBSD 6.4. server:

Immediately following initial sshd handshake

```
# tcpdump dst port 53

14:16:14.640019 IP ernie.some.place.net.59808 > ns2.place.net.domain:  23651+ PTR? 159.68.10.10.in-addr.arpa. (43)
```

(output truncated for readability)

Immediately following successful authentication

```
# tcpdump dst port 53

14:16:32.163573 IP ernie.some.place.net.59567 > ns2.place.net.domain:  23653+ A? dhcp-10-10-68-159.fin.place.net. (50)
```

(output truncated for readability)

Notice that the first is a reverse lookup, and the second is a forward lookup. Hmm. Now look at this in the /var/log/auth.log file: 

```
May 20 14:16:32 ernie sshd[15384]: Accepted keyboard-interactive/pam for mrbig from 10.10.68.159 port 60784 ssh2
```

See the matching timestamp? Also see how it shows an IP instead of a hostname? (Failed authentication attempts neither perform a forward lookup, nor log an IP address, BTW.) 

Again, PAM seems likely to be the cause of lookup #2.


----------



## SirDice (May 21, 2009)

You could just fix DNS too :e Make sure both the hostname and the IP address resolve.


----------



## vivek (May 24, 2009)

I agree fix the dns or use /etc/hosts


----------



## cyberman (Jul 27, 2009)

anomie said:
			
		

> I think query #2 probably is PAM, as suggested earlier.
> 
> Here is some tcpdump chatter (on the server side) while I logged in via ssh to a FreeBSD 6.4. server:
> 
> ...



It seems like that. But can I disable its DNS query?


----------



## anomie (Jul 27, 2009)

I haven't tested this, but - 

```
UsePAM no
```
- in sshd_config should (in theory) disable lookup #2. But then you lose the other PAM capabilities you may have been relying on. 

Also, if you do this, be sure that you have some other authentication form set up than just ChallengeResponseAuthentication. Otherwise you may be locked out of your box.


----------



## cyberman (Jul 28, 2009)

anomie said:
			
		

> I haven't tested this, but -
> 
> ```
> UsePAM no
> ...



Is there anyway to disable that reverse DNS lookup through configuration of PAM?

I've checked the manual of sshd again, and it said that using -u0 can prevent DNS lookup, so:
1. I modified /etc/rc.conf using sshd_flags="-u0", but it doesn't work. I can't find out any operation with sshd_flags in /etc/rc.d/sshd.
2. I modified /etc/rc.d/sshd directly to add -u0, but it the DNS lookup #2 is still here.
3. Then I add this into /etc/ssh/sshd_config:
RhostsRSAAuthentication no
HostbaseAuthentication no
But DNS lookup #2 is still here.

I haven't other thoughts on it right now.


----------



## anomie (Jul 28, 2009)

I don't think you're going to disable the second lookup by changing around sshd's configuration (_unless_ you are willing to disable PAM altogether, as I mentioned). 

Here's the content in my sshd's default PAM config: 

```
%egrep -v '^#|^$' /etc/pam.d/sshd
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
auth		required	pam_unix.so		no_warn try_first_pass
account		required	pam_nologin.so
account		required	pam_login_access.so
account		required	pam_unix.so
session		required	pam_permit.so
password	required	pam_unix.so		no_warn try_first_pass
```

As for which one is causing the lookup..? Your guess is probably as good as mine. 

Since the second lookup happens after successful authentication, we might deduce that it's caused by an "account" or "session" function-class. Assuming that is true, my WAG would be on pam_login_access (which checks for access lists in /etc/login.access). 

If you're feeling in a mood to experiment, comment out that line and try again. If that doesn't work, I'm not sure what to suggest apart from some focused and dedicated tinkering.


----------

