Peter Yue
2009-Dec-16 02:15 UTC
No ssh connection if the 1st DNS fails; 2nd DNS has no effect
Hello, I have googled and searched the openssh database. I could not find the answer. Hence, I write this email. I would like to know if ssh only looks for the primary DNS to resvolve the IP address and this is normal; this is for security purpose. The followings were what I tried: --------------------------------- I used "ssh -v xxx.yyy.zzz" to connect. There was an error message: "ssh: Could not resolve hostname xxx.yyy.zzz: Name or service not known" If I use dot-quad (i.e., ssh 123.456.789.123), it worked. I used "wireshark" to monitor the traffic. Wireshark showed that the primary DNS could not resolve the address and returned "server failure". Ssh then stopped without trying the secondary DNS. When I "dig xxx.yyy.zzz" or "nslookup xxx", wireshark showed that the primary DNS failed and returned "server failure". However, it immediately asked the secondary DNS server listed in /etc/resolv.conf and I got the correct IP. Regards, Peter Yue
Peter Stuge
2009-Dec-16 07:33 UTC
No ssh connection if the 1st DNS fails; 2nd DNS has no effect
Peter Yue wrote:> I would like to know if ssh only looks for the primary DNS to > resvolve the IP address and this is normal; this is for security > purpose.ssh uses the getaddrinfo() system library function to resolve a name into an IP address. How temporary DNS failures are handled by your library is out of scope for ssh. //Peter