openssh unix dev - Jan 2014 - PuTTY: Forwarded connection refused by server: Administratively prohibited [open failed]

Hello,

In my installation, one of the resolvers specified in /etc/resolv.conf 
on the sshd OpenSSH server side appears to be experiencing some issues, 
and this results in the following issues on the client side with PuTTY:

* a SOCKS5-powered multi-tab web-browser has some web-pages timeout 
(takes many seconds), whereas other web-pages stall during this time

* during the time where any web-page is in the process of timing out 
(which, as mentioned, takes many seconds), the terminal is stalling, 
too;  basically, the terminal is just about entirely unusable -- the 
stalls persist for dozens of seconds at a time;  remove dynamic port 
forwarding, wait for the timeouts to expire, and the terminal stalls no 
more, not even a little bit

The following appears in PuTTY Event Log around these troubling times:

2014-01-11 17:12:03 Forwarded connection refused by server: 
Administratively prohibited [open failed]

Otherwise, the following entries appear within PuTTY, which gives me the 
impression that the whole DNS resolution is done entirely on the server 
side (a SOCKS5 feature, per my understanding), with the client being 
entirely IPv4/IPv6 agnostic, most of the time:

2014-01-11 17:51:31	Opening forwarded connection to www.openssh.com:80


Why does the DNS timing out take so long?  Is there a way to abandon DNS 
queries after at most 1 s, or maybe even start issuing a duplicate query 
to the next server at 300 ms, without abandoning the first one for a 
while?  Or maybe be smart about the first server acting up, and issue 
most subsequent queries to the second server etc?  (I realise this is 
now in the realm of the DNS resolver library talk, arguably unrelated to 
OpenSSH, but, hey, you do have to start the discussion somewhere.)

Most importantly, why is there so much stalling going on?  This 
basically sounds like a DoS to me.

Cheers,
Constantine.

On Sat, 11 Jan 2014, Constantine Aleksandrovich Murenin wrote:
> Hello,
> 
> In my installation, one of the resolvers specified in /etc/resolv.conf
> on the sshd OpenSSH server side appears to be experiencing some
> issues, and this results in the following issues on the client side
> with PuTTY:
>
> * a SOCKS5-powered multi-tab web-browser has some web-pages timeout
> (takes many seconds), whereas other web-pages stall during this time
>
> * during the time where any web-page is in the process of timing out
> (which, as mentioned, takes many seconds), the terminal is stalling,
> too; basically, the terminal is just about entirely unusable -- the
> stalls persist for dozens of seconds at a time; remove dynamic port
> forwarding, wait for the timeouts to expire, and the terminal stalls
> no more, not even a little bit
Yes, OpenSSH uses the standard libc resolver to perform name
resolution. This is synchronous and blocking, so no other traffic
is processed while one is in progress.

Fixing this would require an asynchronous resolver. It's probably
worth doing, but we'd need to select one and integrate it with the
channels code. Depending on the resolver, this could be a little
or a lot of work.
> Why does the DNS timing out take so long? Is there a way to abandon
> DNS queries after at most 1 s, or maybe even start issuing a duplicate
> query to the next server at 300 ms, without abandoning the first one
> for a while? Or maybe be smart about the first server acting up, and
> issue most subsequent queries to the second server etc? (I realise
> this is now in the realm of the DNS resolver library talk, arguably
> unrelated to OpenSSH, but, hey, you do have to start the discussion
> somewhere.)
The libc resolver doesn't offer enough control or feedback
to support any of this. We'd need to use something different.

-d