Disabling reverse dns lookups in ssh

Sometimes it is very annoying to wait ten’s of seconds to finish remote ssh server’s reverse dns lookup procedure. It can be disabled on the server side but this process has a few tricks.

First of all, you have to make “UseDNS no” in /etc/ssh/sshd_config file, default answer is yes and if this line not exists in your config file, just add it to as below:

UseDNS no

This directive tells sshd process to check resolved host name for the connected client’s ip address maps back to the very same ip address or not.

However, it does not prevent the sshd server from performing any DNS lookups at all. That’s not the purpose of that directive.

In order to remove dns lookups completely, you have to use -u0 options when starting sshd server.

You can easily add this options to /etc/default/ssh or /etc/sysconfig/sshd or elsewhere suitable for your distribution.

-u0 option’s means that it will not put hostnames into the utmp structure (i.e. what you see when you type “who” at the shell prompt), which means that sshd will not perform any DNS lookups for that purpose.

However there are still cases where a lookup has to be performed when a user has

from=<hostname>

like entries in his authorized_keys file, or when authentication methods or configuration directives are used that involve hostnames.

We have a ssh connection delay when connecting to our system remotely. Sshd config file already has UseDNS No option but it seems that sshd try to make reverse dns resolution. How can I disable ssh reverse dns lookups completely?

If you want to disable all type of connection delay, you have to disable GSSAPIAuthentication too if active. GSSAPI is a IETF standard for doing strong encrypted authentication in network based applications. It is also supported by openssh but it can also introduce delays. Some distributions left this mode active on default, so you have to change like this in /etc/ssh/sshd_config:

GSSAPIAuthentication no
1 Like

I like to pass the GSSAPIAuthentication=no option on the command line to prevent this message.

Example:

ssh -o GSSAPIAuthentication=no [email protected]

…or you can just add GSSAPIAuthentication=no to /etc/ssh/ssh_config
It may already exist in the file, just change it from yes to no.

No. UseDNS no in sshd_config enables equivalent of sshd -d0 too. I’ve confirmed source codes in OpenSSH 6.6p1, 7.2p1 and 7.5p1.

As the top Google result for “ssh disable reverse DNS” I thought I’d post this here.

TL;DR version:
tcp wrappers (libwrap), may be causing a reverse DNS lookup to occur.

!(TL;DR) version:
A head-shaped dent was beginning to metaphorically appear on the wall, trying everything I could find to ascertain why my ssh initial connection was slow. A bit of running sshd in debug mode along with strace (and subsequently tcpdump), showed that was making repeated attempts to lookup the IP address with a DNS PTR lookup. Watching the process with ltrace, showed me that the hosts_access library function was being called, and was taking a long time Looking through the openssh source code revealed this to be libwrap related.

I didn’t look through the libwrap code (had difficulty finding it, and solved my problem before I did find it), but had the following in my hosts.allow file:

ALL: localhost

It would seem (from my observed behaviour), that when libwrap comes across this, rather than resolving localhost to 127.0.0.1, and comparing that with my IP address, it does a reverse lookup on my ip address, and compares the result with ‘localhost’.

This issue was resolved by changing localhost to 127.0.0.1/8, ::1.

1 Like

@fumiyas – he said “-u0” (utmp structure), not “-d0”.