openssh bugs - Jun 2024 - [Bug 3700] New: Unresponsive domain names freeze SSH connection when using SOCKS proxy

https://bugzilla.mindrot.org/show_bug.cgi?id=3700

            Bug ID: 3700
           Summary: Unresponsive domain names freeze SSH connection when
                    using SOCKS proxy
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: timothy_holt123 at yahoo.co.uk

I enable dynamic port forwarding and set browser to SOCKS proxy with
remote DNS lookup on.

The whole SSH connection freezes when going on ebay.co.uk in my browser
(Firefox) with "open failed: connect failed: Try again" printed
several
times in the terminal and the only way to get it working again is to
kill the ssh process and restart it. I narrowed it down to
ebay.entmag.co.uk causing the freeze and get "Temporary failure in name
resolution" when pinging it.

Going on ebay.entmag.co.uk directly in the browser through the SOCKS
proxy causes connection to freeze up for around a minute until the
browser errors out.

This is a serious bug and makes dynamic port forwarding vulnerable to
DDoS attacks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3700

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
           Severity|critical                    |enhancement

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
It sounds like you want non-blocking DNS requests in the SOCKS proxy
code. This would be great to have, but unfortunately there is no
cross-platform libc API we can rely on to do this and we're generally
loath to pick up additional libraries except when strictly necessary.

Another possibility is implementing asynchronous DNS resolution via a
forked subprocess, which is portable but would complicate the channels
code fairly significantly.

You could probably avoid this by disabling the "Proxy DNS when using
SOCKS5" setting in firefox.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3700

--- Comment #2 from timothy_holt123 at yahoo.co.uk ---
(In reply to Damien Miller from comment #1)
> It sounds like you want non-blocking DNS requests in the SOCKS proxy
> code. This would be great to have, but unfortunately there is no
> cross-platform libc API we can rely on to do this and we're
> generally loath to pick up additional libraries except when strictly
> necessary.
> 
> Another possibility is implementing asynchronous DNS resolution via
> a forked subprocess, which is portable but would complicate the
> channels code fairly significantly.
> 
> You could probably avoid this by disabling the "Proxy DNS when using
> SOCKS5" setting in firefox.
This really has hit me hard. I have a configured /etc/hosts on the
server so I need DNS through the proxy and the popular browsers (Edge
and Chrome) seem to enforce remote DNS when using the proxy anyway.

SOCKS is just not fit for purpose in my case with this issue present. I
really can't believe it's that difficult to resolve this issue. It
seems the libc API is so badly designed.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3700

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to timothy_holt123 from comment #0)
> Going on ebay.entmag.co.uk directly in the browser through the SOCKS
> proxy causes connection to freeze up
[...]
> I have a configured /etc/hosts on the server 
Put "0.0.0.0 ebay.entmag.co.uk" into the server's /etc/hosts?
> I really can't believe it's that difficult to resolve this
> issue.
We look forward to seeing your patch fixing it.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3700

--- Comment #4 from timothy_holt123 at yahoo.co.uk ---
(In reply to Darren Tucker from comment #3)
> (In reply to timothy_holt123 from comment #0)
> > Going on ebay.entmag.co.uk directly in the browser through the SOCKS
> > proxy causes connection to freeze up
> [...]
> > I have a configured /etc/hosts on the server 
> 
> Put "0.0.0.0 ebay.entmag.co.uk" into the server's /etc/hosts?
> 
> > I really can't believe it's that difficult to resolve this
> > issue.
> 
> We look forward to seeing your patch fixing it.
The problem is that's only one out of potentially many domains that are
unresponsive and there's also a chance that domain will start working
again.

I tried it anyway but still got freezes.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3700

luke at bratch.co.uk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |luke at bratch.co.uk

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.