PuTTY: Forwarded connection refused by server: Administratively prohibited [open failed]

Constantine Aleksandrovich Murenin C++ at Cns.SU
Sun Jan 12 14:11:08 EST 2014


Hello,

In my installation, one of the resolvers specified in /etc/resolv.conf 
on the sshd OpenSSH server side appears to be experiencing some issues, 
and this results in the following issues on the client side with PuTTY:

* a SOCKS5-powered multi-tab web-browser has some web-pages timeout 
(takes many seconds), whereas other web-pages stall during this time

* during the time where any web-page is in the process of timing out 
(which, as mentioned, takes many seconds), the terminal is stalling, 
too;  basically, the terminal is just about entirely unusable -- the 
stalls persist for dozens of seconds at a time;  remove dynamic port 
forwarding, wait for the timeouts to expire, and the terminal stalls no 
more, not even a little bit

The following appears in PuTTY Event Log around these troubling times:

2014-01-11 17:12:03 Forwarded connection refused by server: 
Administratively prohibited [open failed]

Otherwise, the following entries appear within PuTTY, which gives me the 
impression that the whole DNS resolution is done entirely on the server 
side (a SOCKS5 feature, per my understanding), with the client being 
entirely IPv4/IPv6 agnostic, most of the time:

2014-01-11 17:51:31	Opening forwarded connection to www.openssh.com:80


Why does the DNS timing out take so long?  Is there a way to abandon DNS 
queries after at most 1 s, or maybe even start issuing a duplicate query 
to the next server at 300 ms, without abandoning the first one for a 
while?  Or maybe be smart about the first server acting up, and issue 
most subsequent queries to the second server etc?  (I realise this is 
now in the realm of the DNS resolver library talk, arguably unrelated to 
OpenSSH, but, hey, you do have to start the discussion somewhere.)

Most importantly, why is there so much stalling going on?  This 
basically sounds like a DoS to me.

Cheers,
Constantine.


More information about the openssh-unix-dev mailing list