openssh bugs - Sep 2004 - [Bug 924] Bogus IPv6 DNS queries cause unnecessary root server traffic

http://bugzilla.mindrot.org/show_bug.cgi?id=924

           Summary: Bogus IPv6 DNS queries cause unnecessary root server
                    traffic
           Product: Portable OpenSSH
           Version: 3.8p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: jgiglio at netmar.com


Also At:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131610

The Openssh client will make a series of DNS queries when a user uses
ssh to connect to an unqualified short name on a LAN.  Some of the
IPv6 queries are fed to the name server defined in resolv.conf as if
they were a TLD query, which gets bogus traffic forwarded to the root
DNS servers.

For example:
ssh user at hostname

resolv.conf:
domain sub.domain.com
nameserver 192.1.1.2


Packet capture:

13:39:40.375681 192.1.1.252.34288 > 192.1.1.2.domain:  57759+ AAAA?
hostname.sub.domain.com. (45) (DF)
13:39:40.376425 192.1.1.252.34288 > 192.1.1.2.domain:  57760+ AAAA?
hostname. (25) (DF)
13:39:40.395541 192.1.1.252.34288 > 192.1.1.2.domain:  57761+ A?
hostname.sub.domain.com. (45) (DF)


The second packet is the problem, as the name server will interpert
this as a TLD lookup, causing bogus root name server traffic.

We use ssh extensively in our internal apps, with thousands of ssh
sessions being established per day.  As this bug seems widespread, I
can only imagine what the global impact on root name server traffic is.

In addition to the impact on root server traffic, this problem will
cause a 10 second delay in any  ssh connections if the local DNS
server loses connectivity to the outside world for some reason.  This
is how this problem was discovered, our Internet connection failed,
and suddenly internal SSH connections took 10 seconds longer.  This
happens as the DNS server waits for two 5 second timeouts for the
second query listed above.

Version-Release number of selected component (if applicable):
All versions it seems.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=924

djm at mindrot.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From djm at mindrot.org  2004-09-04 08:28 -------
OpenSSH just uses the standard getaddrinfo() API, it doesn't do anything
magical
for DNS queries. Any complaints about getaddrinfo()'s behaviour on your
system
should be directed to your libc vendor.

BTW, you can turn off IPv6 lookups by setting "AddressFamily inet" in
your
ssh_config.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.