Home > General, System > Apple’s Patched OpenSSH doing SRV lookups?

Apple’s Patched OpenSSH doing SRV lookups?

June 23rd, 2005 Leave a comment Go to comments

Recently, while trying to figure out why ssh is taking so long to connect to many systems under Mac OS X 10.4.1, I sniffed the DNS traffic. To my surprise, I see SSH is doing SRV lookups:

0.000000  10.100.0.23 -> 10.100.0.10  DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local
0.001124  10.100.0.23 -> 10.100.0.10  DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local
0.001272  10.100.0.10 -> 10.100.0.23  DNS Standard query response, No such name
0.001989  10.100.0.23 -> 10.100.0.10  DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local
0.002321  10.100.0.10 -> 10.100.0.23  DNS Standard query response, No such name
0.002848  10.100.0.23 -> 10.100.0.10  DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local
0.003176  10.100.0.10 -> 10.100.0.23  DNS Standard query response, No such name
0.003993  10.100.0.10 -> 10.100.0.23  DNS Standard query response, No such name
2.027353  10.100.0.23 -> 10.100.0.10  DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local.techsupport.local
2.027840  10.100.0.23 -> 10.100.0.10  DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local.techsupport.local
2.028764  10.100.0.10 -> 10.100.0.23  DNS Standard query response, No such name
2.029120  10.100.0.10 -> 10.100.0.23  DNS Standard query response, No such name
2.029562  10.100.0.23 -> 10.100.0.10  DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local.techsupport.local
2.030249  10.100.0.23 -> 10.100.0.10  DNS Standard query SRV _telnet._tcp.mariesa.techsupport.local.techsupport.local
2.030829  10.100.0.10 -> 10.100.0.23  DNS Standard query response, No such name
2.031551  10.100.0.10 -> 10.100.0.23  DNS Standard query response, No such name
4.042563  10.100.0.23 -> 10.100.0.10  DNS Standard query A mariesa.techsupport.local
4.043651  10.100.0.10 -> 10.100.0.23  DNS Standard query response A 10.100.0.103
4.064124  10.100.0.23 -> 10.100.0.10  DNS Standard query A mariesa.techsupport.local
4.065093  10.100.0.10 -> 10.100.0.23  DNS Standard query response A 10.100.0.103

That is very aggravating, since I don’t see a way to turn it off. Some Googling reveals a post on the topic.

Update: Stany did a little digging, found lots of patches, but not what I was looking for:

Now, regarding SRV lookups…. I’ve not noticed anything magic in the source that causes that to happen. Maybe that’s part of GSSAPI stuff – I frankly weren’t looking too closely. Maybe it’s something that libSystem.B.dylib does on behalf of ssh. Further investigation is needed, as it didn’t jump out at me.

So I’m thinking that this must be a part of the resolver. Although, it is doing lookups for _telnet._tcp.

Categories: General, System Tags:
  1. DouglasDD
    August 31st, 2005 at 22:05 | #1
    Reply | Quote

    The DNS behavior that you describe is about to get me banned / disconnected by my ISP, who say that my box is abusing their DNS to the tune of dozens of queries per second!

    At the time the notification was generated my box was running 10.4.2. I’ve just now updated to Security Update 2005-007 (v1.1).

    Since Rogers.com’s tech support is so useless for non-windows, and the “abuse” team doesn’t return emails, I guess I won’t find out if the latest update fixed the issue or not until after I’m banned :-P

    I’m not yet clear whether the offending software is ssh (or client app) or sshd (the server app).

    Their auto-generated nasty-gram included the following log snippet:

    Date Time, Src, Query, Query type 2005-08-24 10:03:02.87574, 24.157.68.55, _telnet._tcp.quickbeam.rogers.com., Internet Unknow 2005-08-24 10:03:02.89364, 24.157.68.55, quickbeam.slnt.phub.net.cable.rogers.com., Internet Addr ? 2005-08-24 10:03:02.91165, 24.157.68.55, quickbeam.slnt.phub.net.cable.rogers.com., Internet Addr ? 2005-08-24 10:03:02.92965, 24.157.68.55, quickbeam.phub.net.cable.rogers.com., Internet Addr ? 2005-08-24 10:03:02.94782, 24.157.68.55, quickbeam.phub.net.cable.rogers.com., Internet Addr ?

    Date Time,Dst,Query,Response 2005-08-24 10:03:2.87637,24.157.68.55,Error:,3(Name Error) 2005-08-24 10:03:2.89392,24.157.68.55,Error:,3(Name Error) 2005-08-24 10:03:2.91205,24.157.68.55,Error:,3(Name Error) 2005-08-24 10:03:2.93289,24.157.68.55,Error:,3(Name Error) 2005-08-24 10:03:2.94814,24.157.68.55,Error:,3(Name Error)

    All the best, ./ddd

  2. Jon Rail
    December 9th, 2005 at 11:59 | #2
    Reply | Quote

    I’ve just been researching the same thing, and it seems that it’s the mDNS service which I think is the actual implementation of Bonjour (aka Rendezvous).

    man mDNS shows examples of advertising services using the syntax:

    mDNS -R “My Test” _http._tcp . 80 (and some other stuff)

    And to search for a resource:

    mDNS -B _http._tcp

    I’ve ran a packet capture on an ibook as it bound to Active Directory (just to make sure it was doing it sensibly before we let it near the live systems) and noticed a lot of these DNS requests milliseconds after it bound.

  3. Jon Rail
    December 9th, 2005 at 12:01 | #3
    Reply | Quote

    NB in my last comment several underscores have been removed from my command line examples (the comments system interpreted them as formating instructions).

  1. June 26th, 2005 at 02:16 | #1
    theconsultant.net » Blog Archive » Tiger: OpenSSH and SRV resolution