[Bug 924] Bogus IPv6 DNS queries cause unnecessary root server traffic
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Sep 3 23:36:35 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=924
Summary: Bogus IPv6 DNS queries cause unnecessary root server
traffic
Product: Portable OpenSSH
Version: 3.8p1
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ssh
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: jgiglio at netmar.com
Also At:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131610
The Openssh client will make a series of DNS queries when a user uses
ssh to connect to an unqualified short name on a LAN. Some of the
IPv6 queries are fed to the name server defined in resolv.conf as if
they were a TLD query, which gets bogus traffic forwarded to the root
DNS servers.
For example:
ssh user at hostname
resolv.conf:
domain sub.domain.com
nameserver 192.1.1.2
Packet capture:
13:39:40.375681 192.1.1.252.34288 > 192.1.1.2.domain: 57759+ AAAA?
hostname.sub.domain.com. (45) (DF)
13:39:40.376425 192.1.1.252.34288 > 192.1.1.2.domain: 57760+ AAAA?
hostname. (25) (DF)
13:39:40.395541 192.1.1.252.34288 > 192.1.1.2.domain: 57761+ A?
hostname.sub.domain.com. (45) (DF)
The second packet is the problem, as the name server will interpert
this as a TLD lookup, causing bogus root name server traffic.
We use ssh extensively in our internal apps, with thousands of ssh
sessions being established per day. As this bug seems widespread, I
can only imagine what the global impact on root name server traffic is.
In addition to the impact on root server traffic, this problem will
cause a 10 second delay in any ssh connections if the local DNS
server loses connectivity to the outside world for some reason. This
is how this problem was discovered, our Internet connection failed,
and suddenly internal SSH connections took 10 seconds longer. This
happens as the DNS server waits for two 5 second timeouts for the
second query listed above.
Version-Release number of selected component (if applicable):
All versions it seems.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list