From owner-freebsd-security Thu May 3 21:34:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp6.port.ru (mx6.port.ru [194.67.23.42]) by hub.freebsd.org (Postfix) with ESMTP id EA6D337B422 for ; Thu, 3 May 2001 21:34:16 -0700 (PDT) (envelope-from lists@mail.ru) Received: from du16-11.fibertel.com.ar ([24.232.11.16] helo=mail.ru) by smtp6.port.ru with esmtp (Exim 3.14 #6) id 14vXIE-000No1-00 for freebsd-security@freebsd.org; Fri, 04 May 2001 08:34:14 +0400 Message-ID: <3AF23077.55DEA3D8@mail.ru> Date: Fri, 04 May 2001 01:30:47 -0300 From: "lists@mail.ru" X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: reverse or not References: <5.0.2.1.2.20010503145244.00a12e50@nol.co.za> <20010503170027.B9233@tjhsst.edu> <3AF1DC23.32BB39B3@globalstar.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Crist Clark wrote: > > Andrew Barros wrote: > > > > I've had similar problems with sshd when my internet connection goes out. > > > > If you try to ssh into that machine, it takes _forever_ even if the local > > nameserver is running. When the SSH server accepts a connection it does a reverse lookup the client's IP address. If that IP address is not in your named configuration, the named will try to resolve it as usual in DNS queries, using other DNS servers. If the link is down, the SSH will return from the reverse lookup when the timeout of the reverse lookup expires. > > Just because named is running does not mean DNS is configured correctly. ;) > > Run a tcpdump on the external interface to see if there are still queries > going out for some reason, and you are waiting for them to timeout. Run ssh > with the '-v' option to see where things are hanging. Possibly try sshd with > '-d' as well. > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Why don't you check if reverse lookups are resolved by your nameserver? Try it using "nslookup 127.0.0.1 127.0.0.1". If you are not resolving reverse queries for 127.0.0.1, nobody will do it and then the timeout will happen. - Agustin Azubel Friedman - aazubel@mail.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message