What is the point of sshd “UseDNS” option?

I know what it does, but I don’t know why. What attack(s) does it prevent?

Is it relevant for all kind of authentication methods? (hostbased, password, publickey, keyboard-interactive …)

Asked By: user368507

||

From the manpage of sshd_config(5):

 UseDNS  Specifies whether sshd(8) should look up the remote host name and
         check that the resolved host name for the remote IP address maps
         back to the very same IP address.  The default is “yes”.

Enabling this makes access from a location without proper (forward and reverse) DNS generate a warning in the logs.

So this doesn’t prevent any attack except that it would need some qualified remote address of the client in order not to log any warning. Such a warning may help you in tracing down the attacker only if that PTR record makes any sense.

edit: updated according to comment of Andrey Voitenkov.

Answered By: gertvdijk

The UseDNS option is mostly useless. If the client machines are out there on the Internet, there is a high chance that they don’t have any reverse DNS, their reverse DNS doesn’t resolve forward, or their DNS doesn’t provide any information other than “belongs to this ISP” which the IP address already tells you.

In typical configurations, DNS is only used for logging. It can be used for authentication, but only if IgnoreRhosts no is specified in sshd_config. This is for compatibility with old installations that used rsh, where you can say “the user called bob on the machine called darkstar may log in as alice without showing any credentials” (by writing darkstar bob in ~alice/.rhosts). It is only secure if you trust all the machines that may possibly be connecting to the ssh server. In other words, this is very very rarely usable in a secure way.

Given that the DNS lookup doesn’t provide any useful information except in very peculiar circumstances, it should be turned off. As far as I can tell, the only reason it’s on by default is that it’s technically more secure (if you’re concerned about authentication, not availability), even though that only applies to a tiny set of circumstances.

Another argument for turning off this feature is that every superfluous feature is an unnecessary security risk.

It is needed when you use FROM option in an authorized_keys file and you want to filter by names and not just IPs.

The FROM option in a line of an authorized_keys file allows you to limit hosts that can use a specific key.
This increases the ability of managing multiple servers that have access to each other without allowing clones of a machine to impersonate it’s origin, usually unintentionally (leftover crontabs, human error).

Answered By: Didi Kohen

I added to a bug report (old but still current) in Ubuntu about this.

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/424371

I proposed changing the default to No and adding newer documentation on it:

# UseDNS - Determines whether IP Address to Hostname lookup and comparison is performed
# Default value is No which avoids login delays when the remote client's DNS cannot be resolved
# Value of No implies that the usage of "from=" in authorized_keys will not support DNS host names but only IP addresses.
# Value of Yes supports host names in "from=" for authorized_keys. Additionally if the remote client's IP address does not match the resolved DNS host name (or could not be reverse lookup resolved) then a warning is logged.
Answered By: Rodney

I’d like to add that on CentOS 7 (7.1.1503) and hence Red Hat Enterprise Linux 7, I was unable to log in with the default setting of yes for UseDNS. After uncommenting and setting it to no, I was able to log in. Thus it appears that one can indeed be denied service if DNS is not working correctly! In CentOS 6, it appears the default is no and hence I can ssh in with no functioning DNS!

I’d like to add that my experimentation was on LXC containers and not physical machine, in case that makes a difference!

Answered By: AnthonyK
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.