# ssh long login and dns - revisted



## levinas69 (Sep 4, 2009)

Alright.  I can't believe there isn't a resolution to this problem, though so many seem to have brought it up.

Here are the facts:

1. An internet search shows that a number of users have been frustrated by ssh logins to FreeBSD.  The issue is that when connecting to a FreeBSD box via ssh the request for "login as" appears quickly but the request for a password takes a long time.

2. The issue is that the OpenSSH package that comes with FreeBSD seems to do a reverse DNS lookup before requesting a password.  The lookup (observable with: tcpdump dst port 53) takes up to 60 seconds.

3. Questions about fixing this issue usually receive one of two answers, neither of which work.  The typical answer is to either (i) edit ssh_config to include the line "VerifyReverseMapping no" or (ii) edit ssh config to include the line "UseDNS no".  It is widely acknowledged that *neither* solution works.

4. Further, adding your local servers to hosts and making sure that hosts.conf points to the hosts file before dns also does not seem to solve the problem.  Though, admittedly, report vary in this regard.  (Some say this works, other say it doesn't.  For me it hasn't worked.)

4. So, question to the great BSD gurus in the sky is how the !$&#&%&%^ do you solve the frackin' problem.  Excuse my language its been buggin' me for more than a week.

Please, please, please don't say "configure named".  If BSD with OpenSSH really requires named to make ssh login times bearable, then that's plain silliness.

Also, please, please, please, don't tell me you all put up with the wait time.  You would accept that kinda wait from your Crackberries (tm); it would be pure indulgence to accept it from your *nix box.

Cheers,
j.


----------



## anomie (Sep 4, 2009)

levinas69 said:
			
		

> The issue is that the OpenSSH package that comes with FreeBSD seems to do a reverse DNS lookup before requesting a password.  The lookup (observable with: tcpdump dst port 53) takes up to 60 seconds.



For some commentary on the reverse lookup, see this thread.

What nameservers are specified in your resolv.conf?


----------



## vivek (Sep 4, 2009)

> 4. So, question to the great BSD gurus in the sky is how the !$&#&%&%^ do you solve the frackin' problem. Excuse my language its been buggin' me for more than a week.


Never had any problem. All you need is correct entries in /etc/resolv.conf (on server side):

```
nameserver 10.0.80.11
nameserver 10.0.80.12
```
10.0.80.11 and 10.0.80.12 are my own caching dns server. Replace them with your own or ISP dns servers.


----------



## SirDice (Sep 4, 2009)

levinas69 said:
			
		

> 2. The issue is that the OpenSSH package that comes with FreeBSD seems to do a reverse DNS lookup before requesting a password.  The lookup (observable with: tcpdump dst port 53) takes up to 60 seconds.


This indicates that reverse lookups are b0rked. Most likely cause is a badly set up DNS server.


----------



## tobe (Sep 4, 2009)

"UseDNS no" fixed the latency for my setup.


----------



## unixeagle (Sep 4, 2009)

For your question: Hot to solve this issue?
It is pretty simple:

vi /etc/ssh/sshd_config and find UseDNS, make sure it is not commented and it has the value no

Then, /etc/rc.d/sshd reload

That's it!

You don't have to wait a;; 60 seconds to login to your box, and neither does any one in the world. Do not configure DNS daemon and you don't have to check your /etc/resolve.conf for bad values.

What "UseDNS no" does is that it tells the sshd not to reverse DNS lookup the connection source to make sure that it is who it claims to be. An add security check, which in most cases cripples the functionality of the daemon by making it slower to response.

If this doesn't help, I suggest you look into you /var/log/messages for any abnormal behaviors.


----------



## levinas69 (Oct 4, 2009)

Hi,

Sorry for the length of time replying.  Work, kid, more work.  Sigh.

You are right.  The problem is definitively DNS.  Since setting up dnsmasq on my Tomato router, the problem has disappeared.

I note that a complete hosts file was insufficient to fix the issue, presumably because the issue is a reverse lookup.

The directive UseDNS=No is no longer a valid directive in ssh_config.  It will produce the error: "Bad configuration option: UseDNS" This is with OpenSSH v.5.1p1 which is included with FreeBSD 7.2.  No mention of this issue in the OpenSSH mailing list.  It isn't clear if the UseDNS config is broken accidently, broken deliberately or deprecated.  

If anyone knows, it would be nice know -- even though I have solved the problem by other means, I like to know.

Thanks again everyone!
Jay.


----------



## dennylin93 (Oct 4, 2009)

UseDNS is still valid. Perhaps it wasn't used correctly. I just added:

```
UseDNS no
```

into /etc/ssh/sshd_config and restarted SSH. It still works.


----------



## crsd (Oct 4, 2009)

I guess OP's problem is not seeing difference between ssh_config and sshd_config


----------



## levinas69 (Oct 9, 2009)

DOH! <smack>Head on desk</smack>

Thanks!


----------



## molofishy (Oct 20, 2016)

Why is 

```
UseDNS no
```
not the default?


----------



## Joel Lopes Da Silva (Feb 28, 2017)

molofishy said:


> Why is
> 
> ```
> UseDNS no
> ...



That's a great question. I'm not sure what the actual reason is, but it seems like FreeBSD developers have made a conscious decision to deviate from the default value of the UseDNS configuration option from upstream. See https://svnweb.freebsd.org/base?view=revision&revision=294909.


----------



## weberjn (Jun 18, 2020)

Got the problem still in FreeBSD 12.1-RELEASE-p6 (behind a Fritz box),
`UseDNS no`
did help.


----------

