Fixing slow and blocked SSH connections with UseDNS

In the configuration shipped with many Linux distributions, including Debian, OpenSSH will attempt to lookup the reverse DNS records for the source IP of all incoming connections. If a result is found, OpenSSH will then attempt to find the IP address associated with that record and log a warning message if it does not match the source IP.

This can cause two problems:

  1. If the server’s resolver is slow, there is a noticeable delay when establishing each connection.
  2. If your ISP has not setup matching forward and reverse DNS records, this will trigger the warning and may also result in your IP being blocked if you are running software such as fail2ban or SSHGuard.

In my case, I was being locked out of my server because the connection provider had broken DNS. There was a PTR record for the IP, but that record did not have a matching A record (in fact it had no records at all). I’ve had limited success in getting providers to fix their DNS in the past, but fortunately there’s a single line you can add to sshd_config to disable this check:

UseDNS no

I’m not aware of any downsides to disabling this option on modern systems, though you may run into problems if you are using hostname-based authentication (most people don’t and shouldn’t).

Posted in SSH