problem with DNS lookups on non-IPv4-only-mode?
Dan Kaminsky
dan at doxpara.com
Thu Jun 10 03:38:37 EST 2004
The fundamental issue, last I checked, is that there's traditionally a
number of calls in sshd that if one channel blocks, the entire
application freezes. I haven't tested this issue in years, but the two
cases that were the most problematic were:
1) Opening a port forward to a non-existent IP, and
2) Doing a DNS lookup for a non-existent target.
What was somewhat effective in mitigating this bug was to create some
sort of process on the remote host that would forcibly create keepalive
traffic in the server->client direction; something like:
ssh user at host "watch echo foo"
This is ultimately a fundamental weakness in the sshd architecture, and
the only ironclad solution is to use one primary sshd for hosts that
have proven themselves responsive, and then a variable size pool for new
connections. To maintain correct semantics, the first connection to any
host would have to go through the pool, while all future links could go
through the primary link.
It would be very expensive to run ten remote ssh daemons, though. Try
not to do that :)
--Dan
More information about the openssh-unix-dev
mailing list