Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Sep 2001 07:34:53 -0400
From:      Bill Moran <wmoran@iowna.com>
To:        RJ45 <rj45@slacknet.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: STRANGE delay using NAT
Message-ID:  <01092407345303.00641@proxy.the-i-pa.com>
In-Reply-To: <Pine.LNX.4.21.0109240140400.8262-100000@slacknet.slacknet.com>
References:  <Pine.LNX.4.21.0109240140400.8262-100000@slacknet.slacknet.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 24 September 2001 03:41, RJ45 wrote:
> thank you this look possbile true...
> any hints you could have to solve this problem??
> thanks

You could check the settings for ssh and see if you can turn off DNS
checking (which may reduce the security of the connection).  I don't
know if ssh will let you do this or not.
Another option is to tweak your /etc/hosts file to have a record in there
that resolves quickly and make sure your resolve order has files first.
I don't know if either of these will work - I haven't tried either of them,
but they're possibilities.  Keep in mind, that I'm not even sure if what
I suggest is really the problem, it's just a theory.

> On Sun, 23 Sep 2001, Bill Moran wrote:
> > RJ45 wrote:
> > > when I ssh x.y.z.v it takes around 3 minutes before prompting me for
> > > the password. If I Instead ssh x.y.z.w (the gateway) and then ssh
> > > 10.0.0.1 it takes around 5 seconds.
> > > How come the response time with NAT is soooo damn slow ??
> > > IS there a way to fix the problem ??
> > > The problem is only in te first ssh authentication step, when SSH
> > > communication is established the connection looks fast.
> >
> > Usually, this kind of thing indicates a DNS problem.  Most secure stuff
> > (like ssh) will do a reverse DNS lookup to verify the IP is not spoofed
> > and put the data in the logs.  Three minutes is about the time it takes
> > to time out if nobody is providing reverse lookup information.
> > I don't know the ssh suite of protocols that well, but here's my guess:
> > ssh wants a reverse lookup before you log in (to help prevent spoofing
> > and man-in-the-middle attacks) When you go from a machine to proxy, the
> > reverse lookup for the proxy happens quick, then you ssh from proxy to
> > 10.0.0.1 and the _proxy_ does the reverse lookup and succeeds.
> > However, when you ssh directly through the proxy to 10.0.0.1, your
> > machine is trying to do a reverse lookup for 10.0.0.1 - but that's not a
> > real Internet address, and no DNS servers on the Internet are going to
> > resolve it.  So, after waiting 3 minutes, it gives up and lets you
> > connect anyway.
> >
> > This is just a guess.  It assumes that the sshd process will be sending
> > the IP addy back as part of the ssh protocol - I don't know if that's the
> > case or not.  But the whole 3 minute thing sounds a lot like DNS
> > timeouts.

-- 
Bill Moran
Potential Technology technical services
(412) 793-4257

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01092407345303.00641>