problem with DNS lookups on non-IPv4-only-mode?

Kendell Welch kwelch at useractive.com
Tue Jun 8 15:11:17 EST 2004


Hi Darren...appreciate the response.

Sounds like a possible glibc problem.  See responses below:

> Which Linux distributions/versions, which BSD's, which versions of
> OpenSSH compiled with which options?
>

Will respond tomorrow with more precise versions/etc.  (we did try some
20 different servers...some RH, some custom Linux, some BSD...basically
everything we tried except for Windows </puke>.)

> It sounds like getaddrinfo() is blocking.  Some glibc's are known to
> take a long time to resolve IPv4or6 addresses:
> http://www.openssh.com/faq.html#3.3.
>

I hadn't seen that FAQ entry...will read up.

> > (cut...) P.S. ... http://www.vastrange.com/
>
> The features for this list " Works with any SSH Server account with no
> special configurations" and "Securely encrypts any TCP/IP or DNS traffic
> via SSH keeping your transfered data safe and private."
>
> Does this mean that UDP is not supported?

Safe Passage will not tunnel UDP via SSH.  It can configure SSH tunnels to
DNS names which the client thinks is the IP address that Safe Passage is
configured to tunnel.  Safe Passage then negotiates the tunnel with the
server, using the DNS name.  Hence, the problem...if Safe Passage
configures a lot of tunnels in rapid succession (i.e. when a user is
using Safe Passage to tunnel to http://www.whatismyipaddress.com/ ...
which has a lot of banners on different Domain Names,) the server "locks".

> It sound like you're mapping
> connect() calls (and/or the Winsock equivalent) into direct-tcpip
> channel requests?

Not at all...we're intercepting I/O calls (in kernel mode) to the ethernet
adapter, and interacting accordingly.  Safe Passage does not attempt to
forward any UDP packets...however, it analyzes and responds to DNS
requests from the client...if configured to do so.

Thanks!
Kendell




More information about the openssh-unix-dev mailing list