SSH reverse DNS lookup

I was wondering why I'm connection to a server with SSH, it does a reverse DNS lookup on the IP of the remote server.

I have found comments telling that it was for security reason, lots of tutorial showing how to disable it but no explanation.

Thank you


SSHD can be configured to block access to clients whose forward(A) and reverse(PTR) records don't map to each other.

When the connection request comes in the daemon checks the reverse record of the IP: 192.168.1.1 = PTR my.domain.com

It can then check the forward lookup record of the host: my.domain.com = A 192.168.1.1

If my.domain.com doesn't resolve to 192.168.1.1 then it can block the connection.

This is because it is easy to setup your own reverse zone and map a PTR record to whatever host name you would like, but to map the host name to the IP would require you to have access to the authoritative server for that zone. IE one more thing a hacker would have to do to gain access.


Not sure about why SSH does it specifically, but if you configure a box to only allow connections from host.xyz.com, anyone can configure a box and call it host.xyz.com, but if you can have a forward DNS entry for host.xyz.com that points to 1.2.3.4 and a PTR for 4.3.2.1.in-addr.arpa that points to host.xyz.com then it's a much better indication that you truly are host.xyz.com.


Setting UseDNS=no only disables verification of reverse DNS against forward DNS. It does not disable the query, which can be guaranteed useless and require DNS timeouts in various mixed DNS or DHCP environments. Many people are confused about this.

The only way to disable the DNS lookups is to run sshd with the "-u0" option, which fortunately can usually be embedded in /etc/sysconfig/jenkins with the line "OPTIONS=-u9". This has been the case for more than 20 years.