bugzilla-daemon at mindrot.org
2024-Jun-12 20:03 UTC
[Bug 3700] New: Unresponsive domain names freeze SSH connection when using SOCKS proxy
https://bugzilla.mindrot.org/show_bug.cgi?id=3700 Bug ID: 3700 Summary: Unresponsive domain names freeze SSH connection when using SOCKS proxy Product: Portable OpenSSH Version: 9.1p1 Hardware: amd64 OS: Linux Status: NEW Severity: critical Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: timothy_holt123 at yahoo.co.uk I enable dynamic port forwarding and set browser to SOCKS proxy with remote DNS lookup on. The whole SSH connection freezes when going on ebay.co.uk in my browser (Firefox) with "open failed: connect failed: Try again" printed several times in the terminal and the only way to get it working again is to kill the ssh process and restart it. I narrowed it down to ebay.entmag.co.uk causing the freeze and get "Temporary failure in name resolution" when pinging it. Going on ebay.entmag.co.uk directly in the browser through the SOCKS proxy causes connection to freeze up for around a minute until the browser errors out. This is a serious bug and makes dynamic port forwarding vulnerable to DDoS attacks. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Jun-16 08:29 UTC
[Bug 3700] Unresponsive domain names freeze SSH connection when using SOCKS proxy
https://bugzilla.mindrot.org/show_bug.cgi?id=3700 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Severity|critical |enhancement --- Comment #1 from Damien Miller <djm at mindrot.org> --- It sounds like you want non-blocking DNS requests in the SOCKS proxy code. This would be great to have, but unfortunately there is no cross-platform libc API we can rely on to do this and we're generally loath to pick up additional libraries except when strictly necessary. Another possibility is implementing asynchronous DNS resolution via a forked subprocess, which is portable but would complicate the channels code fairly significantly. You could probably avoid this by disabling the "Proxy DNS when using SOCKS5" setting in firefox. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Jun-16 15:43 UTC
[Bug 3700] Unresponsive domain names freeze SSH connection when using SOCKS proxy
https://bugzilla.mindrot.org/show_bug.cgi?id=3700 --- Comment #2 from timothy_holt123 at yahoo.co.uk --- (In reply to Damien Miller from comment #1)> It sounds like you want non-blocking DNS requests in the SOCKS proxy > code. This would be great to have, but unfortunately there is no > cross-platform libc API we can rely on to do this and we're > generally loath to pick up additional libraries except when strictly > necessary. > > Another possibility is implementing asynchronous DNS resolution via > a forked subprocess, which is portable but would complicate the > channels code fairly significantly. > > You could probably avoid this by disabling the "Proxy DNS when using > SOCKS5" setting in firefox.This really has hit me hard. I have a configured /etc/hosts on the server so I need DNS through the proxy and the popular browsers (Edge and Chrome) seem to enforce remote DNS when using the proxy anyway. SOCKS is just not fit for purpose in my case with this issue present. I really can't believe it's that difficult to resolve this issue. It seems the libc API is so badly designed. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2024-Jun-17 02:42 UTC
[Bug 3700] Unresponsive domain names freeze SSH connection when using SOCKS proxy
https://bugzilla.mindrot.org/show_bug.cgi?id=3700 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #3 from Darren Tucker <dtucker at dtucker.net> --- (In reply to timothy_holt123 from comment #0)> Going on ebay.entmag.co.uk directly in the browser through the SOCKS > proxy causes connection to freeze up[...]> I have a configured /etc/hosts on the serverPut "0.0.0.0 ebay.entmag.co.uk" into the server's /etc/hosts?> I really can't believe it's that difficult to resolve this > issue.We look forward to seeing your patch fixing it. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Jun-19 11:09 UTC
[Bug 3700] Unresponsive domain names freeze SSH connection when using SOCKS proxy
https://bugzilla.mindrot.org/show_bug.cgi?id=3700 --- Comment #4 from timothy_holt123 at yahoo.co.uk --- (In reply to Darren Tucker from comment #3)> (In reply to timothy_holt123 from comment #0) > > Going on ebay.entmag.co.uk directly in the browser through the SOCKS > > proxy causes connection to freeze up > [...] > > I have a configured /etc/hosts on the server > > Put "0.0.0.0 ebay.entmag.co.uk" into the server's /etc/hosts? > > > I really can't believe it's that difficult to resolve this > > issue. > > We look forward to seeing your patch fixing it.The problem is that's only one out of potentially many domains that are unresponsive and there's also a chance that domain will start working again. I tried it anyway but still got freezes. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-26 07:46 UTC
[Bug 3700] Unresponsive domain names freeze SSH connection when using SOCKS proxy
https://bugzilla.mindrot.org/show_bug.cgi?id=3700 luke at bratch.co.uk changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |luke at bratch.co.uk -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.