Bug 2126

Summary: ISP bogus NX records override configuration Host
Product: Portable OpenSSH Reporter: Ricky Ng-Adam <rngadam>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: normal CC: djm, dtucker
Priority: P5    
Version: 6.0p1   
Hardware: Other   
OS: Linux   

Description Ricky Ng-Adam 2013-07-06 12:18:46 AEST 
ii  openssh-client                         1:6.0p1-3ubuntu1                          i386         secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                         1:6.0p1-3ubuntu1                          i386         secure shell (SSH) server, for secure access from remote machines

* Host <Host> in ~/.ssh/config with a correct HostName entry
* ssh <Host>

Expected: connects to <Host>

Actual: ssh does a DNS lookup on the Host first, the ISP returns an IP for their own ad server, ssh tries to connect to that IP and fails

Desired: ssh should check the config file first

Impact: can spend many hours trying to figure out whats wrong with the configuration when it's actually not trying to connect to the RIP IP

Workaround: install dnsmasq and add a bogus-nxdomain=<IP> to /etc/dnsmasq.conf
Comment 1 Damien Miller 2013-07-06 19:14:12 AEST 
I'm not sure how this can happen; please attach the output of "ssh -vvv user@host" from a failing session and your ~/.ssh/config.
Comment 2 Darren Tucker 2013-07-12 10:53:55 AEST 
(In reply to Damien Miller from comment #1)
> I'm not sure how this can happen;

indeed: ssh will use the Hostname from ssh_config or ~/.ssh/config if present instead of what's returned from DNS.

another workaround: use a different DNS server such as google public DNS
proper solution: get your ISP to stop lying about DNS answers or get a better ISP.
Comment 3 Damien Miller 2013-10-10 11:00:43 AEDT 
If you can get a debug trace from unpatched OpenSSH showing this issue then please reopen this bug.
Comment 4 Darren Tucker 2013-10-10 11:17:57 AEDT 
(In reply to Damien Miller from comment #3)
> If you can get a debug trace from unpatched OpenSSH showing this
> issue then please reopen this bug.

Also the fragment of ssh_config or ~/.ssh/config that you're using.
Comment 5 Damien Miller 2015-08-11 23:03:25 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1