| Summary: | sshd Causing DNS Queries on ListenAddress when binding to IPV4 and IPV6 addresses on AIX | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Caleb Lloyd <caleblloyd> |
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | NEW --- | ||
| Severity: | normal | ||
| Priority: | P5 | ||
| Version: | -current | ||
| Hardware: | PPC | ||
| OS: | AIX | ||
On AIX 7.1, sshd is causing a an AAAA DNS Query to occur on "0.0.0.0" and an A DNS Query to occur on "::" when trying to listen on all IPV4 and IPV6 addresses. If DNS is not configured, OpenSSH will take a long time to try to resolve this DNS query on startup and on receiving a client connection until the DNS query eventually times out. ListenAddresses from /etc/ssh/sshd_config: ListenAddress 0.0.0.0 ListenAddress :: When a listener address is added to the server, the POSIX function "getaddrinfo" is called from servconf.c sshd application calls: getaddrinfo("0.0.0.0") and getaddrinfo("::"), with hints to be NULL for these 2 calls. --------------------------------------------------------------------------- For getaddrinfo("0.0.0.0, ...") call, Internally, it will call these 2 APIs to collect information for both IPv4 and IPv6 addresses since hint is NULL: gethostbyname2("0.0.0.0", AF_INET6) gethostbyname2("0.0.0.0", AF_INET) In gethostbyname2 ("0.0.0.0", AF_INET6); It's asking for an IPv6 address mapping. "0.0.0.0" itself is NOT an IPv6 address, so resolver treats it as a hostname. You will see an AAAA query for hostname "0.0.0.0". In gethostbyname2 ("0.0.0.0", AF_INET); It's asking for an IPv4 address mapping. "0.0.0.0" is an IPv4 address, so resolver will NOT go out to DNS server for answer. --------------------------------------------------------------------------- For getaddrinfo("::",...) call: Internally, it will call these 2 APIs to collect information for both IPv4 and IPv6 addresses since hint is NULL: gethostbyname2("::", AF_INET6) gethostbyname2("::", AF_INET) In gethostbyname2("::", AF_INET6); It is asking for an IPv6 address mapping. "::" itself is an IPv6 address. So it won't do DNS query. In gethostbyname2("::", AF_INET); It is asking for an IPv4 address mapping. "::" is NOT an IPv4 address. "::" itself is NOT an IPv4 address, so resolver treats it as a hostname. You will see an A query for hostname "::". --------------------------------------------------------------------------- The solution would be to define an AddressFamily for each ListenAddress in /etc/ssh/sshd_config like so: AddressFamily inet ListenAddress 0.0.0.0 AddressFamily inet6 ListenAddress :: Another solution would be to create a configuration option that would let AI_NUMERICHOST be passed to the POSIX getaddrinfo() function.