Date: Fri, 20 Jul 2018 13:15:34 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD-11.1 Jails and SSL Message-ID: <aa3a1244-7b62-a2ce-89e9-eb4ff5955f43@FreeBSD.org> In-Reply-To: <f7964527d64bf8a83c51a75ced360bd0.squirrel@webmail.harte-lyne.ca> References: <b09a213c9018244d79763c7d65e98e1c.squirrel@webmail.harte-lyne.ca> <A820DA67-87FA-4638-B5D4-F87D63CB22C0@lists.vlassakakis.de> <56bbc3069975ec09b4771e57d138de64.squirrel@webmail.harte-lyne.ca> <39F372AB-BCCB-4A38-A351-F0F3ECCDEA21@lists.vlassakakis.de> <f7964527d64bf8a83c51a75ced360bd0.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19/07/2018 21:52, James B. Byrne via freebsd-questions wrote: > On Thu, July 19, 2018 16:38, Philipp Vlassakakis wrote: >>> Am 19.07.2018 um 22:29 schrieb James B. Byrne >>> <byrnejb@harte-lyne.ca>: >>> >>> UseDNS=YES in /etc/ssh/sshd_config >> Does the problem persists, if you disable this option? >> > No, it does not persist. Log ons are now as fast as with any other > host. Why is UseDNS=YES (the default setting) a problem inside a jail > and nowhere else? > SSH is doing a reverse lookup on the IP number your connection comes from. It's possible you're timing out on the IP lookup specifically. Particularly if you're using private address space -- local_unbound has some special settings around the handling of RFC1918 zones -- so compare the per-jail config with you main host (which I presume has no similar problems?) Another potential gotcha is if your reverse IP space has a broken DNSSEC configuration: local_unbound defaults to enabling DNSSEC processing (indeed, that's the primary reason for having local_unbound at all) and DNSSEC signing failures will essentially make the affected data disappear from the DNS. Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aa3a1244-7b62-a2ce-89e9-eb4ff5955f43>