openssh bugs - Jul 2013 - [Bug 2126] New: ISP bogus NX records override configuration Host

https://bugzilla.mindrot.org/show_bug.cgi?id=2126

            Bug ID: 2126
           Summary: ISP bogus NX records override configuration Host
           Product: Portable OpenSSH
           Version: 6.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rngadam at yahoo.com

ii  openssh-client                         1:6.0p1-3ubuntu1            
             i386         secure shell (SSH) client, for secure access
to remote machines
ii  openssh-server                         1:6.0p1-3ubuntu1            
             i386         secure shell (SSH) server, for secure access
from remote machines

* Host <Host> in ~/.ssh/config with a correct HostName entry
* ssh <Host>

Expected: connects to <Host>

Actual: ssh does a DNS lookup on the Host first, the ISP returns an IP
for their own ad server, ssh tries to connect to that IP and fails

Desired: ssh should check the config file first

Impact: can spend many hours trying to figure out whats wrong with the
configuration when it's actually not trying to connect to the RIP IP

Workaround: install dnsmasq and add a bogus-nxdomain=<IP> to
/etc/dnsmasq.conf

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2126

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I'm not sure how this can happen; please attach the output of "ssh -vvv
user at host" from a failing session and your ~/.ssh/config.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2126

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Damien Miller from comment #1)
> I'm not sure how this can happen;
indeed: ssh will use the Hostname from ssh_config or ~/.ssh/config if
present instead of what's returned from DNS.

another workaround: use a different DNS server such as google public
DNS
proper solution: get your ISP to stop lying about DNS answers or get a
better ISP.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2126

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
If you can get a debug trace from unpatched OpenSSH showing this issue
then please reopen this bug.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2126

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Damien Miller from comment #3)
> If you can get a debug trace from unpatched OpenSSH showing this
> issue then please reopen this bug.
Also the fragment of ssh_config or ~/.ssh/config that you're using.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2126

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.