slow ssh and ssl ... dns problem?

Sten Carlsen ccc2716 at vip.cybercity.dk
Mon Jun 6 17:23:01 UTC 2005 

You may want to check what happens with your reverse lookups. If you don't answer those from your own server, a change in some external server will have big impact on your network.

You can use ethereal or tcpdump to see what goes on in your network, who asks for what etc.

AFAIK something like this happened some time ago for another part of the net.



Duane Winner wrote:

>  Can anybody provide me with some insight into this before I rip all of 
>my hair out:
>
>Starting 3 days ago, suddenly it seemed to take a very, very, verly long 
>time for ssh and ssl communications to negotiate between nodes on my 
>network.
>
>I have 3 subnets:
>
>a LAN (10.10.0.0/16)
>a DMZ (10.20.0.0/16)
>a secured subnet for databases (10.30.0.0/16)
>
>I have 2 DNS/Bind servers (9.3.1) running in the DMZ: 1 for the public 
>web servers that get NAT'd, and provide public DNS lookups for the 
>outside world. The other DNS server is for internal queries, providing 
>the cooresponding private IP addresses to LAN clients and servers in the 
>DMZ and secure subnet. Both sDNS servers are running FreeBSD (one is 
>5.2.1, the other is 5.3)
>
>Everything has been working great for months, until, like I said, 3 days 
>ago. Some SSH negotiations were taking so long that they would time out 
>before I would have a chance to enter the password for my private key. 
>Apache/SSL communincations are also taking a long time. But when I make 
>intial connections over port 80, it is very fast. I have also been able 
>to make straight postgresql connections from nodes on my LAN to database 
>servers in my secure subnet, but if I ssh to and from the same 
>boxes....slow timeouts. It seems to be that encrypted traffic is having 
>a problem.
>
>The weird thing is that when I tried on a couple of servers to change 
>the DNS server in resolv.conf from the internal (private IP address) DNS 
>server to the public server, it seemed to speed things up. But I don't 
>understand why....why would it be faster if a lookup reply is providing 
>the external PUBLIC ip address instead of the internal PRIVATE ip 
>address? And I also don't understand why this would have just suddenly 
>started 3 days ago after working fine.
>
>All the subnets are seperated by a Cisco PIX 515 firewall, and I see no 
>errors on it. I also see no errors on any of my FreeBSD boxes in the 
>logs (other than the SSH timeout errors). I've tried rebooting the PIX, 
>rebooting my DNS servers, rebooting all the equipment on my 
>communication rack (router, firewall, switches, etc.). I'm really confused.
>
>One thing that has helped is that on 5.3 boxes, I put "UseDNS no" in 
>sshd_config, and that seemed to help the SSH problem (but no 
>Apache/SSL). I can't do this on all the boxes, though...some are 5.2.1, 
>and when I put the same directive in there, I get an invalid config 
>message when I try to restart SSH.
>
>Thanks for any help on this. I am going insane.
>
>P.S.: I cross-posted this to the freebsd-questions mailing list, and I 
>did recieve a reply that others are having the same problem...and it all 
>seemed to start about the same time as it did for me: around noon EST on 
>Friday 5/3.
>
>-DW
>
>
>  
>

-- 
Best regards

Sten Carlsen

Let HIM who has an empty INBOX send the first mail.

More information about the bind-users mailing list