SSH login takes very long time...sometimes

Rostislav Krasny rosti.bsd at
Tue Dec 27 03:42:29 PST 2005

On 12/27/05, David Malone <dwmalone at> wrote:
> On Sun, Dec 25, 2005 at 06:41:57PM +0200, Rostislav Krasny wrote:
> > defined as 4. In a case the DNS server isn't responding the
> > gethostbyname() makes 8 (eight!) reverse resolving attempts for one
> > (!) non-responding DNS server before it returns error. And this is by
> > default. All that is still true for my current 6.0-STABLE.
> >
> >
> >
> > As a workaround I may suggest addind "options attempts:2" or even
> > "options attempts:1" line to the /etc/resolver.conf
> I've often thought that we shouled make the default login timeout
> longer than our DNS timeout, as it means it is hard (or impossible)
> to log in to fix your DNS server when your DNS server is down. It
> is even worse if you don't control some DNS server in the chain
> between the root and the name you're trying to look up.
> I did once mail des@ to ask him if he'd mind me changing the default
> login timeout for sshd to be (say) 5 minutes rather than 1 minute,
> but I think he was busy at the time. Judging by the PR mentioned
> above it should be at least 2m30s by default.

I think the RES_DFLRETRY should also be decreased from 4 to 2, as it
is defined in most of other systems. By the way, BIND9, that is a part
of the FreeBSD base system, has its own resolver, where the
RES_DFLRETRY defined as 2 (ses below):

> grep RES_DFLRETRY /usr/src/contrib/bind9/lib/bind/include/resolv.h
#define RES_DFLRETRY            2       /* Default #/tries. */
> grep RES_DFLRETRY /usr/include/resolv.h
#define RES_DFLRETRY            4       /* retries per each name server */

And doubling of this number of retries by functions like
gethostbyname() is also mysterious for me yet.

More information about the freebsd-stable mailing list