[Bug 1357] New: SOCKS proxy attempts fail to some servers due to DNS timeouts
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Sep 4 11:35:19 EST 2007
http://bugzilla.mindrot.org/show_bug.cgi?id=1357
Summary: SOCKS proxy attempts fail to some servers due to DNS
timeouts
Product: Portable OpenSSH
Version: 4.6p1
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: sbbvai2hwkmh at jampee.com
Created an attachment (id=1345)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1345)
proposed patch
---PROBLEM DESCRIPTION---
I use ssh as a SOCKS 5 proxy for Firefox, and I have configured firefox
to perform remote DNS lookups. That is, the SOCKS request contains the
hostname rather than the IP address of the host I want to connect to.
For the vast majority of sites I connect to, this works great. However,
for a few hosts, including www.etrade.com and www.vanguard.com, the
connection hangs for several seconds, then times out.
Although I think it's irrelevant, my SSH client is OpenSSH 4.6p1 on
MacOS 10.4.
My server is OpenSSH 4.6p1 on Linux 2.6.12.5.
---INVESTIGATION---
I ran strace on the sshd and saw that the DNS lookup of
www.vanguard.com was hanging (the DNS server took a long time to
respond, much more than 5 seconds). I decoded the DNS request and saw
that it is requesting QTYPE 28, which is the DNS AAAA record. This is
the request for the IPv6 address.
Next I tried this DNS lookup with dig. I ran "dig -t aaaa
www.vanguard.com", and it hung for about 20 seconds before finally
returning. I ran "dig -t aaaa www.yahoo.com", and it returned
immediately.
I ran these same dig tests on a different machine, serviced by a
different ISP and DNS servers, and got the same results.
My conclusion is that an AAAA lookup on some hosts will hang for a long
time.
Next I downloaded portable OpenSSH, compiled my own sshd, and found the
function connect_to() in channels.c. Note that the call to
getaddrinfo() is passing in a hints structure consisting of
ai_family=IPv4or6 and ai_socktype=SOCK_STREAM. The hints parameter is
optional, and if it is not specified it still allows either IPv4 or
IPv6 results. I replaced hints with NULL and recompiled. My problem
went away.
---RECOMMENDATION---
I recommend that the hints parameter be omitted, as this seems to fix
the hanging behavior while still working correctly on all sites I try
to connect to.
--
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list