sshd tries reverse DNS lookups with UseDNS no
sshd seems to almost always try to perform a reverse DNS lookup on new connections. For hosts without a PTR entry this causes delays of 5 seconds per query. Sometimes it accepts the connection immediately, sometimes it tries to resolve once, sometimes twice. I observed this using tcpdump port 53 while trying to connect to the server. I have really no idea why it tries to lookup twice sometimes.
This seems to be a fairly frequent issue and the standard response is UseDNS no in /etc/ssh/sshd_config. However, I already have this option set and sshd is still trying to perform these reverse lookups.
I found another suggestion here. I tried to add -u0 to /etc/default/ssh, but it doesn't seem to have changed anything.
I'm out of ideas at this point, any suggestion will be welcome.
Solution 1:
Nowadays the most frequent culprit is GSSAPI:
/etc/ssh/sshd_config:
GSSAPIAuthentication no
The other three culprits for Linux platform have been mentioned in other answer:
- add to
sshda command line option-u0 - set
UseDNS no - don't use
from=hostnameinsideauthorized_keysfiles
Solution 2:
Use DNS = no does not prevent sshd from performing DNS lookups, it prevents it from rejecting clients when PTR records don't match.
-u0 prevents sshd from logging DNS names in the utmp struct.
lookups might still happen depending one what a user has in their authorized_keys.
See this for a decent explanation:
http://lists.freebsd.org/pipermail/freebsd-stable/2006-November/030886.html