[Bug 1357] New: SOCKS proxy attempts fail to some servers due to DNS timeouts

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Sep 4 11:35:19 EST 2007 

http://bugzilla.mindrot.org/show_bug.cgi?id=1357

           Summary: SOCKS proxy attempts fail to some servers due to DNS
                    timeouts
           Product: Portable OpenSSH
           Version: 4.6p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: sbbvai2hwkmh at jampee.com


Created an attachment (id=1345)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1345)
proposed patch

---PROBLEM DESCRIPTION---

I use ssh as a SOCKS 5 proxy for Firefox, and I have configured firefox
to perform remote DNS lookups. That is, the SOCKS request contains the
hostname rather than the IP address of the host I want to connect to.

For the vast majority of sites I connect to, this works great. However,
for a few hosts, including www.etrade.com and www.vanguard.com, the
connection hangs for several seconds, then times out.

Although I think it's irrelevant, my SSH client is OpenSSH 4.6p1 on
MacOS 10.4.

My server is OpenSSH 4.6p1 on Linux 2.6.12.5.


---INVESTIGATION---

I ran strace on the sshd and saw that the DNS lookup of
www.vanguard.com was hanging (the DNS server took a long time to
respond, much more than 5 seconds). I decoded the DNS request and saw
that it is requesting QTYPE  28, which is the DNS AAAA record. This is
the request for the IPv6 address.

Next I tried this DNS lookup with dig. I ran "dig -t aaaa
www.vanguard.com", and it hung for about 20 seconds before finally
returning. I ran "dig -t aaaa www.yahoo.com", and it returned
immediately.

I ran these same dig tests on a different machine, serviced by a
different ISP and DNS servers, and got the same results.

My conclusion is that an AAAA lookup on some hosts will hang for a long
time.

Next I downloaded portable OpenSSH, compiled my own sshd, and found the
function connect_to() in channels.c. Note that the call to
getaddrinfo() is passing in a hints structure consisting of
ai_family=IPv4or6 and ai_socktype=SOCK_STREAM. The hints parameter is
optional, and if it is not specified it still allows either IPv4 or
IPv6 results. I replaced hints with NULL and recompiled. My problem
went away.

---RECOMMENDATION---

I recommend that the hints parameter be omitted, as this seems to fix
the hanging behavior while still working correctly on all sites I try
to connect to.


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list