[CentOS] how to debug ssh slow connection issues.

Sun May 25 19:26:42 UTC 2008
Jason Pyeron <jpyeron at pdinc.us>


> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of Jay Leafey
> Sent: Sunday, May 25, 2008 2:17 PM
> 
> Jason Pyeron wrote:
> >
> >> -----Original Message-----
> >> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> >> Behalf Of Filipe Brandenburger
> >> Sent: Friday, May 23, 2008 8:55 PM
> >>
> >> Try to change this in your /etc/ssh/sshd_config:
> >>
> >>
> >> Change:
> >>
> >> UseDNS yes
> >> to:
> >> UseDNS no
> >>
> >
> > Okay that fixed it, but why? I used nslookup and set my server to the
> same
> > as /etc/resolv.conf. There were no delays, at all all of our class C
> > resolves both ways (and matching) same as out private net.
> >
> > Where to go next on "properly" fixing this sshd/dns issue?
> >
> >
> 
>  From the earlier posts, it appears that your DNS server is not properly
> resolving the REVERSE addresses, i.e. IP address-to-hostname.  SSH does
> a reverse lookup, trying to resolve the IP address to a hostname, unless
> you set the "UseDNS" option to "no".

Agreed, but all of my tests indicate DNS is fine


> 
> Until you fix your DNS server to properly resolve the reverse addresses
> for your network you will continue to have this issue.  Having gone down
> this road myself, it's not as hard as it sounds.  Just having a
> nameserver resolve your local FORWARD zone won't cut it, you have to
> have the REVERSE zone set up too.

It does the reverse, indicated many posts ago, but has been since snipped
out.

> 
> In my example, I have a local network named "local" (how original!) and
> use the 192.168.1.0/24 address range.  The nameserver I use (Bind 9 on a
> CentOS box) is configured mostly as a caching nameserver but resolves
> two local domains, "local" and "1.168.192.in-addr.arpa".  All of the
> name-to-ip entries ("A" records) and aliases ("CNAME" records) are in
> the "local" zone, all of the ip-to-name entries ("PTR" records) are in
> the "1.168.192.in-addr.arpa" zone.
> 

Ditto.

DNS test for 192.168.1.0/24 and known not to exist 192.168.99.99

[root at devserver21 ~]# for i in `seq 0 255`; do host 192.168.1.$i | grep
NXDOMAIN; done; host 192.168.99.99 | grep NXDOMAIN
Host 99.99.168.192.in-addr.arpa not found: 3(NXDOMAIN)
[root at devserver21 ~]# for i in `seq 0 255`; do host 192.168.1.$i; done; host
192.168.99.99


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited.