Home / Prevent hostname lookups with openssh sshd

Prevent hostname lookups with openssh sshd

When you connect to an OpenSSH sshd server, it is configured by default to do a hostname lookup on your IP address. If there are any issues with the DNS configuration on the host machine, or with the DNS server it is using, this can lead to a delay when logging in using ssh for around 30 seconds. It is very easy to switch this host name lookup function off in the sshd_config file.

On most Linux distributions, the sshd_config file will be at /etc/ssh/sshd_config, so it’s simply a matter of editing it with your favourite editor as root or using “sudo” and adding the following:

UseDNS no

This is correct for recent versions of sshd but older versions might use the following configuration option instead (I found this on a couple of sites while doing some additional research for this article):

VerifyReverseMapping yes

You can always check the sshd_config options by having a look in the manual by issuing the command man sshd_config.

After making the above change to the configuration file, it’s simply a matter of reloading the SSH daemon. On RedHat and CentOS you would do service sshd reload; /etc/init.d/sshd reload should work on most Linux distributions.

Please note that making this change may introduce a security risk as full checking is no longer done on the hostname and IP address. Note this from the manpage:

UseDNS - Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is "yes".