SSH, SSL and DNS headaches

Mon Jun 6 14:36:23 GMT 2005

Well, it's a little comforting to know that it's not just me...and yup, 
that's about when it started for me: around noon (EST) on Friday 5/3.

Please post if you come up with anything.
I'm also trying to cross-post to bind-users at isc.org

Cheers,
DW

John Brooks wrote:

>I am having a similar problem which started on friday at about
>noon. This is on four freebsd boxes (4.11) that were updated via 
>cvsup on May 3 from cvsup10, 11, and 12. These four boxes have
>been in use for 18 months without issue. I make connections
>to ip addresses and not resolvable names, so dns should not be
>the show stopper in my case. I have already encountered two
>other people experiencing the same type problem, one of which
>had updated using cvsup10 in the same time frame as me. The
>second has yet to respond.
>
>I am heading over to the clients network now to run checksums
>on the source code files. (I have other networks that are not
>affected).
>
>--
>John Brooks
>john at day-light.com 
>
>  
>
>>-----Original Message-----
>>From: owner-freebsd-questions at freebsd.org
>>[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
>>dwinner-lists at att.net
>>Sent: Monday, June 06, 2005 8:55 AM
>>To: FreeBSD - Questions
>>Subject: SSH, SSL and DNS headaches
>>
>>
>>Can anybody provide me with some insight into this before I rip 
>>all of my hair out:
>>
>>Starting 3 days ago, suddenly it seemed to take a very, very, 
>>verly long time for ssh and ssl communications to negotiate 
>>between nodes on my network.
>>
>>I have 3 subnets:
>>
>>a LAN (10.10.0.0/16)
>>a DMZ (10.20.0.0/16)
>>a secured subnet for databases (10.30.0.0/16)
>>
>>I have 2 DNS/Bind servers running in the DMZ: 1 for the public 
>>web servers that get NAT'd, and provide public DNS lookups for 
>>the outside world. The other DNS server is for internal queries, 
>>providing the cooresponding private IP addresses to LAN clients 
>>and servers in the DMZ and secure subnet. Both sDNS servers are 
>>running FreeBSD (one is 5.2.1, the other is 5.3)
>>
>>Everything has been working great for months, until, like I said, 
>>3 days ago. Some SSH negotiations were taking so long that they 
>>would time out before I would have a chance to enter the password 
>>for my private key. Apache/SSL communincations are also taking a 
>>long time. But when I make intial connections over port 80, it is 
>>very fast. I have also been able to make straight postgresql 
>>connections from nodes on my LAN to database servers in my secure 
>>subnet, but if I ssh to and from the same boxes....slow timeouts. 
>>It seems to be that encrypted traffic is having a problem.
>>
>>The weird thing is that when I tried on a couple of servers to 
>>change the DNS server in resolv.conf from the internal (private 
>>IP address) DNS server to the public server, it seemed to speed 
>>things up. But I don't understand why....why would it be faster 
>>if a lookup reply is providing the external PUBLIC ip address 
>>instead of the internal PRIVATE ip address? And I also don't 
>>understand why this would have just suddenly started 3 days ago 
>>after working fine.
>>
>>All the subnets are seperated by a Cisco PIX 515 firewall, and I 
>>see no errors on it. I also see no errors on any of my FreeBSD 
>>boxes in the logs (other than the SSH timeout errors). I've tried 
>>rebooting the PIX, rebooting my DNS servers, rebooting all the 
>>equipment on my communication rack (router, firewall, switches, 
>>etc.). I'm really confused.
>>
>>One thing that has helped is that on 5.3 boxes, I put "UseDNS no" 
>>in sshd_config, and that seemed to help the SSH problem (but no 
>>Apache/SSL). I can't do this on all the boxes, though...some are 
>>5.2.1, and when I put the same directive in there, I get an 
>>invalid config message when I try to restart SSH.
>>
>>Thanks for any help on this. I am going insane.
>>
>>-DW
>>_______________________________________________
>>freebsd-questions at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>To unsubscribe, send any mail to 
>>"freebsd-questions-unsubscribe at freebsd.org"
>>
>>    
>>
>
>  
>