Also At: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131610 The Openssh client will make a series of DNS queries when a user uses ssh to connect to an unqualified short name on a LAN. Some of the IPv6 queries are fed to the name server defined in resolv.conf as if they were a TLD query, which gets bogus traffic forwarded to the root DNS servers. For example: ssh user@hostname resolv.conf: domain sub.domain.com nameserver 192.1.1.2 Packet capture: 13:39:40.375681 192.1.1.252.34288 > 192.1.1.2.domain: 57759+ AAAA? hostname.sub.domain.com. (45) (DF) 13:39:40.376425 192.1.1.252.34288 > 192.1.1.2.domain: 57760+ AAAA? hostname. (25) (DF) 13:39:40.395541 192.1.1.252.34288 > 192.1.1.2.domain: 57761+ A? hostname.sub.domain.com. (45) (DF) The second packet is the problem, as the name server will interpert this as a TLD lookup, causing bogus root name server traffic. We use ssh extensively in our internal apps, with thousands of ssh sessions being established per day. As this bug seems widespread, I can only imagine what the global impact on root name server traffic is. In addition to the impact on root server traffic, this problem will cause a 10 second delay in any ssh connections if the local DNS server loses connectivity to the outside world for some reason. This is how this problem was discovered, our Internet connection failed, and suddenly internal SSH connections took 10 seconds longer. This happens as the DNS server waits for two 5 second timeouts for the second query listed above. Version-Release number of selected component (if applicable): All versions it seems.
OpenSSH just uses the standard getaddrinfo() API, it doesn't do anything magical for DNS queries. Any complaints about getaddrinfo()'s behaviour on your system should be directed to your libc vendor. BTW, you can turn off IPv6 lookups by setting "AddressFamily inet" in your ssh_config.