Date: Sun, 23 Sep 2001 21:12:50 -0700 From: "Ron Smith" <ronnetron@hotmail.com> To: wmoran@iowna.com, rj45@slacknet.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: STRANGE delay using NAT Message-ID: <F203UMTzFm15k4R9xC200001383@hotmail.com>
next in thread | raw e-mail | index | archive | help
I use 'ssh' for *everything*. I do not have this problem that is described. However *both* my namservers ar on the ISP side. I don't run any services, but I'm able to surf at will :-). Ron >From: Bill Moran <wmoran@iowna.com> >To: RJ45 <rj45@slacknet.com> >CC: freebsd-questions@FreeBSD.ORG >Subject: Re: STRANGE delay using NAT >Date: Sun, 23 Sep 2001 17:06:02 -0400 > >RJ45 wrote: > > when I ssh x.y.z.v it takes around 3 minutes before prompting me for the > > password. If I Instead ssh x.y.z.w (the gateway) and then ssh 10.0.0.1 > > it takes around 5 seconds. > > How come the response time with NAT is soooo damn slow ?? > > IS there a way to fix the problem ?? > > The problem is only in te first ssh authentication step, when SSH > > communication is established the connection looks fast. > >Usually, this kind of thing indicates a DNS problem. Most secure stuff >(like ssh) will do a reverse DNS lookup to verify the IP is not spoofed >and put the data in the logs. Three minutes is about the time it takes >to time out if nobody is providing reverse lookup information. >I don't know the ssh suite of protocols that well, but here's my guess: >ssh wants a reverse lookup before you log in (to help prevent spoofing >and man-in-the-middle attacks) When you go from a machine to proxy, the >reverse lookup for the proxy happens quick, then you ssh from proxy to >10.0.0.1 and the _proxy_ does the reverse lookup and succeeds. >However, when you ssh directly through the proxy to 10.0.0.1, your machine >is trying to do a reverse lookup for 10.0.0.1 - but that's not a real >Internet address, and no DNS servers on the Internet are going to resolve >it. So, after waiting 3 minutes, it gives up and lets you connect anyway. > >This is just a guess. It assumes that the sshd process will be sending >the IP addy back as part of the ssh protocol - I don't know if that's the >case or not. But the whole 3 minute thing sounds a lot like DNS timeouts. > >-- >"Where's the robot to pat you on the back?" > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F203UMTzFm15k4R9xC200001383>