From owner-freebsd-questions Mon Sep 24 0:54:54 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hotmail.com (f212.law11.hotmail.com [64.4.17.212]) by hub.freebsd.org (Postfix) with ESMTP id E16A937B410 for ; Mon, 24 Sep 2001 00:54:50 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 24 Sep 2001 00:54:50 -0700 Received: from 64.170.63.74 by lw11fd.law11.hotmail.msn.com with HTTP; Mon, 24 Sep 2001 07:54:50 GMT X-Originating-IP: [64.170.63.74] From: "Ron Smith" To: rj45@slacknet.com, wmoran@iowna.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: STRANGE delay using NAT Date: Mon, 24 Sep 2001 00:54:50 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 24 Sep 2001 07:54:50.0548 (UTC) FILETIME=[302FDF40:01C144CE] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG How is your DNS situation set up? Ron >From: RJ45 >To: Bill Moran >CC: freebsd-questions@FreeBSD.ORG >Subject: Re: STRANGE delay using NAT >Date: Mon, 24 Sep 2001 01:41:02 -0600 (MDT) > > >thank you this look possbile true... >any hints you could have to solve this problem?? >thanks > >Rick > > >On Sun, 23 Sep 2001, Bill Moran wrote: > > > RJ45 wrote: > > > when I ssh x.y.z.v it takes around 3 minutes before prompting me for >the > > > password. If I Instead ssh x.y.z.w (the gateway) and then ssh 10.0.0.1 > > > it takes around 5 seconds. > > > How come the response time with NAT is soooo damn slow ?? > > > IS there a way to fix the problem ?? > > > The problem is only in te first ssh authentication step, when SSH > > > communication is established the connection looks fast. > > > > Usually, this kind of thing indicates a DNS problem. Most secure stuff > > (like ssh) will do a reverse DNS lookup to verify the IP is not spoofed > > and put the data in the logs. Three minutes is about the time it takes > > to time out if nobody is providing reverse lookup information. > > I don't know the ssh suite of protocols that well, but here's my guess: > > ssh wants a reverse lookup before you log in (to help prevent spoofing > > and man-in-the-middle attacks) When you go from a machine to proxy, the > > reverse lookup for the proxy happens quick, then you ssh from proxy to > > 10.0.0.1 and the _proxy_ does the reverse lookup and succeeds. > > However, when you ssh directly through the proxy to 10.0.0.1, your >machine > > is trying to do a reverse lookup for 10.0.0.1 - but that's not a real > > Internet address, and no DNS servers on the Internet are going to >resolve > > it. So, after waiting 3 minutes, it gives up and lets you connect >anyway. > > > > This is just a guess. It assumes that the sshd process will be sending > > the IP addy back as part of the ssh protocol - I don't know if that's >the > > case or not. But the whole 3 minute thing sounds a lot like DNS >timeouts. > > > > -- > > "Where's the robot to pat you on the back?" > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message