FreeBSD-11.1 Jails and SSL

Matthew Seaman matthew at FreeBSD.org
Fri Jul 20 12:15:44 UTC 2018


On 19/07/2018 21:52, James B. Byrne via freebsd-questions wrote:
> On Thu, July 19, 2018 16:38, Philipp Vlassakakis wrote:
>>> Am 19.07.2018 um 22:29 schrieb James B. Byrne
>>> <byrnejb at harte-lyne.ca>:
>>>
>>> UseDNS=YES in /etc/ssh/sshd_config
>> Does the problem persists, if you disable this option?
>>
> No, it does not persist.  Log ons are now as fast as with any other
> host.  Why is UseDNS=YES (the default setting) a problem inside a jail
> and nowhere else?
> 

SSH is doing a reverse lookup on the IP number your connection comes 
from.  It's possible you're timing out on the IP lookup specifically. 
Particularly if you're using private address space -- local_unbound has 
some special settings around the handling of RFC1918 zones -- so compare 
the per-jail config with you main host (which I presume has no similar 
problems?)

Another potential gotcha is if your reverse IP space has a broken DNSSEC 
configuration: local_unbound defaults to enabling DNSSEC processing 
(indeed, that's the primary reason for having local_unbound at all) and 
DNSSEC signing failures will essentially make the affected data 
disappear from the DNS.

	Cheers,

	Matthew


More information about the freebsd-questions mailing list