[Bug 2037] New: sshd Causing DNS Queries on ListenAddress when binding to IPV4 and IPV6 addresses on AIX

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Aug 28 04:06:58 EST 2012 

https://bugzilla.mindrot.org/show_bug.cgi?id=2037

          Priority: P5
            Bug ID: 2037
          Assignee: unassigned-bugs at mindrot.org
           Summary: sshd Causing DNS Queries on ListenAddress when binding
                    to IPV4 and IPV6 addresses on AIX
          Severity: normal
    Classification: Unclassified
                OS: AIX
          Reporter: caleblloyd at gmail.com
          Hardware: PPC
            Status: NEW
           Version: -current
         Component: sshd
           Product: Portable OpenSSH

On AIX 7.1, sshd is causing a an AAAA DNS Query to occur on "0.0.0.0"
and an A DNS Query to occur on "::" when trying to listen on all IPV4
and IPV6 addresses.  If DNS is not configured, OpenSSH will take a long
time to try to resolve this DNS query on startup and on receiving a
client connection until the DNS query eventually times out.

ListenAddresses from /etc/ssh/sshd_config:

ListenAddress 0.0.0.0
ListenAddress ::

When a listener address is added to the server, the POSIX function
"getaddrinfo" is called from servconf.c

sshd application calls:
getaddrinfo("0.0.0.0") and
getaddrinfo("::"), with hints to be NULL for these 2 calls.

---------------------------------------------------------------------------

For getaddrinfo("0.0.0.0, ...") call,
Internally, it will call these 2 APIs to collect information for both
IPv4 and IPv6 addresses since hint is NULL:
gethostbyname2("0.0.0.0", AF_INET6)
gethostbyname2("0.0.0.0", AF_INET)

In gethostbyname2 ("0.0.0.0", AF_INET6);
It's asking for an IPv6 address mapping.
"0.0.0.0" itself is NOT an IPv6 address, so resolver treats it as a
hostname.
You will see an AAAA query for hostname "0.0.0.0".

In gethostbyname2 ("0.0.0.0", AF_INET);
It's asking for an IPv4 address mapping.
"0.0.0.0" is an IPv4 address, so resolver will NOT go out to DNS server
for answer.
---------------------------------------------------------------------------

For getaddrinfo("::",...) call:
Internally, it will call these 2 APIs to collect information for both
IPv4 and IPv6 addresses since hint is NULL:
gethostbyname2("::", AF_INET6)
gethostbyname2("::", AF_INET)

In gethostbyname2("::", AF_INET6);
It is asking for an IPv6 address mapping. "::" itself is an IPv6
address.
So it won't do DNS query.

In gethostbyname2("::", AF_INET);
It is asking for an IPv4 address mapping. "::" is NOT an IPv4 address.
"::" itself is NOT an IPv4 address, so resolver treats it as a
hostname.
You will see an A query for hostname "::".

---------------------------------------------------------------------------


The solution would be to define an AddressFamily for each ListenAddress
in /etc/ssh/sshd_config like so:
AddressFamily inet 
ListenAddress 0.0.0.0
AddressFamily inet6
ListenAddress ::

Another solution would be to create a configuration option that would
let AI_NUMERICHOST be passed to the POSIX getaddrinfo() function.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list