PuTTY: Forwarded connection refused by server: Administratively prohibited [open failed]

[Damien Miller]

On Sat, 11 Jan 2014, Constantine Aleksandrovich Murenin wrote:

> Hello,
> 
> In my installation, one of the resolvers specified in /etc/resolv.conf
> on the sshd OpenSSH server side appears to be experiencing some
> issues, and this results in the following issues on the client side
> with PuTTY:
>
> * a SOCKS5-powered multi-tab web-browser has some web-pages timeout
> (takes many seconds), whereas other web-pages stall during this time
>
> * during the time where any web-page is in the process of timing out
> (which, as mentioned, takes many seconds), the terminal is stalling,
> too; basically, the terminal is just about entirely unusable -- the
> stalls persist for dozens of seconds at a time; remove dynamic port
> forwarding, wait for the timeouts to expire, and the terminal stalls
> no more, not even a little bit

Yes, OpenSSH uses the standard libc resolver to perform name
resolution. This is synchronous and blocking, so no other traffic
is processed while one is in progress.

Fixing this would require an asynchronous resolver. It's probably
worth doing, but we'd need to select one and integrate it with the
channels code. Depending on the resolver, this could be a little
or a lot of work.

> Why does the DNS timing out take so long? Is there a way to abandon
> DNS queries after at most 1 s, or maybe even start issuing a duplicate
> query to the next server at 300 ms, without abandoning the first one
> for a while? Or maybe be smart about the first server acting up, and
> issue most subsequent queries to the second server etc? (I realise
> this is now in the realm of the DNS resolver library talk, arguably
> unrelated to OpenSSH, but, hey, you do have to start the discussion
> somewhere.)

The libc resolver doesn't offer enough control or feedback
to support any of this. We'd need to use something different.

-d