Recently I noticed that my ssh connections would stop for a few seconds before prompting for a password. It turned out that the SSH command was checking the DNS servers for the Server host key. This would consume some time while the SSH daemon would try get the key from the DNS servers.
12:35PM zzz:~# ssh -v master@myswitch OpenSSH_6.6.1p1, OpenSSL 1.0.1j-freebsd 15 Oct 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to myswitch [10.202.13.230] port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/id_rsa type 1 debug1: identity file /home/user/ssh/id_rsa-cert type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: identity file /home/user/.ssh/id_dsa-cert type -1 debug1: identity file /home/user/.ssh/id_ecdsa type -1 debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/user/.ssh/id_ed25519 type -1 debug1: identity file /home/user/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420 debug1: Remote protocol version 1.99, remote software version Comware-5.20 debug1: no match: Comware-5.20 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Server host key: RSA 41:3b:42:fd:ea:38:c8:27:f2:d4:7a:17:18:16:14:13 DNS lookup error: general failure --> SSH stall here and does DNS requests (see tcpdump below) debug1: Host 'myswitch' is known and matches the RSA host key. debug1: Found key in /home/user/.ssh/known_hosts:473 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent
The tcpdump shows that the daemon is doing SSHFP lookups but not getting any responses.
12:38:07.892258 IP zzz.xx.com.55994 > mydns.com.domain: 3790+ [1au] SSHFP? myswitch. (41) 12:38:12.910363 IP zzz.xx.com.33318 > vmydns.com.domain: 3790+ [1au] SSHFP? myswitch. (41) 12:38:17.926115 IP zzz.xx.com.25719 > vmydns.com.domain: 3790+ [1au] SSHFP? myswitch. (41) 12:38:22.965491 IP zzz.xx.com.29942 > mydns.domain: 3790+ [1au] SSHFP? myswitch. (41)
This can be easily turned off by editing /etc/ssh/ssh_config and setting “VerifyHostKeyDNS no”. After setting this option, SSH skips the DNS lookups and goes straight to the known_hosts file.
debug1: Server host key: RSA 41:3b:42:fd:ea:38:c8:27:f2:d4:7a:17:18:16:14:13 debug1: Host 'myswitch' is known and matches the RSA host key.