Date: Mon, 24 Sep 2001 07:16:18 -0400 From: Bill Moran <wmoran@iowna.com> To: "Ron Smith" <ronnetron@hotmail.com>, wmoran@iowna.com, rj45@slacknet.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: STRANGE delay using NAT Message-ID: <01092407161800.00641@proxy.the-i-pa.com> In-Reply-To: <F203UMTzFm15k4R9xC200001383@hotmail.com> References: <F203UMTzFm15k4R9xC200001383@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I use ssh for *everything* as well (because - well, why use something insecure, when you have something secure right there?!) I have seen the exact problem he's speaking of here, but I haven't bothered to trace it down and figure out exactly what causes it. In my case, it doesn't happen enough to bother me. On Monday 24 September 2001 00:12, Ron Smith wrote: > I use 'ssh' for *everything*. I do not have this problem that is described. > However *both* my namservers ar on the ISP side. I don't run any services, > but I'm able to surf at will :-). > > Ron > > > From: Bill Moran <wmoran@iowna.com> > > >To: RJ45 <rj45@slacknet.com> > >CC: freebsd-questions@FreeBSD.ORG > >Subject: Re: STRANGE delay using NAT > >Date: Sun, 23 Sep 2001 17:06:02 -0400 > > > >RJ45 wrote: > > > when I ssh x.y.z.v it takes around 3 minutes before prompting me for > > > the password. If I Instead ssh x.y.z.w (the gateway) and then ssh > > > 10.0.0.1 it takes around 5 seconds. > > > How come the response time with NAT is soooo damn slow ?? > > > IS there a way to fix the problem ?? > > > The problem is only in te first ssh authentication step, when SSH > > > communication is established the connection looks fast. > > > >Usually, this kind of thing indicates a DNS problem. Most secure stuff > >(like ssh) will do a reverse DNS lookup to verify the IP is not spoofed > >and put the data in the logs. Three minutes is about the time it takes > >to time out if nobody is providing reverse lookup information. > >I don't know the ssh suite of protocols that well, but here's my guess: > >ssh wants a reverse lookup before you log in (to help prevent spoofing > >and man-in-the-middle attacks) When you go from a machine to proxy, the > >reverse lookup for the proxy happens quick, then you ssh from proxy to > >10.0.0.1 and the _proxy_ does the reverse lookup and succeeds. > >However, when you ssh directly through the proxy to 10.0.0.1, your machine > >is trying to do a reverse lookup for 10.0.0.1 - but that's not a real > >Internet address, and no DNS servers on the Internet are going to resolve > >it. So, after waiting 3 minutes, it gives up and lets you connect anyway. > > > >This is just a guess. It assumes that the sshd process will be sending > >the IP addy back as part of the ssh protocol - I don't know if that's the > >case or not. But the whole 3 minute thing sounds a lot like DNS timeouts. > > > >-- > >"Where's the robot to pat you on the back?" > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- Bill Moran Potential Technology technical services (412) 793-4257 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01092407161800.00641>