Date: Mon, 24 Sep 2001 01:41:02 -0600 (MDT) From: RJ45 <rj45@slacknet.com> To: Bill Moran <wmoran@iowna.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: STRANGE delay using NAT Message-ID: <Pine.LNX.4.21.0109240140400.8262-100000@slacknet.slacknet.com> In-Reply-To: <3BAE4EBA.D4EBA2E9@iowna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
thank you this look possbile true... any hints you could have to solve this problem?? thanks Rick On Sun, 23 Sep 2001, Bill Moran wrote: > RJ45 wrote: > > when I ssh x.y.z.v it takes around 3 minutes before prompting me for the > > password. If I Instead ssh x.y.z.w (the gateway) and then ssh 10.0.0.1 > > it takes around 5 seconds. > > How come the response time with NAT is soooo damn slow ?? > > IS there a way to fix the problem ?? > > The problem is only in te first ssh authentication step, when SSH > > communication is established the connection looks fast. > > Usually, this kind of thing indicates a DNS problem. Most secure stuff > (like ssh) will do a reverse DNS lookup to verify the IP is not spoofed > and put the data in the logs. Three minutes is about the time it takes > to time out if nobody is providing reverse lookup information. > I don't know the ssh suite of protocols that well, but here's my guess: > ssh wants a reverse lookup before you log in (to help prevent spoofing > and man-in-the-middle attacks) When you go from a machine to proxy, the > reverse lookup for the proxy happens quick, then you ssh from proxy to > 10.0.0.1 and the _proxy_ does the reverse lookup and succeeds. > However, when you ssh directly through the proxy to 10.0.0.1, your machine > is trying to do a reverse lookup for 10.0.0.1 - but that's not a real > Internet address, and no DNS servers on the Internet are going to resolve > it. So, after waiting 3 minutes, it gives up and lets you connect anyway. > > This is just a guess. It assumes that the sshd process will be sending > the IP addy back as part of the ssh protocol - I don't know if that's the > case or not. But the whole 3 minute thing sounds a lot like DNS timeouts. > > -- > "Where's the robot to pat you on the back?" > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0109240140400.8262-100000>