What is the point of sshd “UseDNS” option?

ssh security dns openssh

114,192

Solution 1

The UseDNS option is mostly useless. If the client machines are out there on the Internet, there is a high chance that they don't have any reverse DNS, their reverse DNS doesn't resolve forward, or their DNS doesn't provide any information other than “belongs to this ISP” which the IP address already tells you.

In typical configurations, DNS is only used for logging. It can be used for authentication, but only if IgnoreRhosts no is specified in sshd_config. This is for compatibility with old installations that used rsh, where you can say “the user called bob on the machine called darkstar may log in as alice without showing any credentials” (by writing darkstar bob in ~alice/.rhosts). It is only secure if you trust all the machines that may possibly be connecting to the ssh server. In other words, this is very very rarely usable in a secure way.

Given that the DNS lookup doesn't provide any useful information except in very peculiar circumstances, it should be turned off. As far as I can tell, the only reason it's on by default is that it's technically more secure (if you're concerned about authentication, not availability), even though that only applies to a tiny set of circumstances.

Another argument for turning off this feature is that every superfluous feature is an unnecessary security risk.

Solution 2

I added to a bug report (old but still current) in Ubuntu about this.

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/424371

I proposed changing the default to No and adding newer documentation on it:

# UseDNS - Determines whether IP Address to Hostname lookup and comparison is performed
# Default value is No which avoids login delays when the remote client's DNS cannot be resolved
# Value of No implies that the usage of "from=" in authorized_keys will not support DNS host names but only IP addresses.
# Value of Yes supports host names in "from=" for authorized_keys. Additionally if the remote client's IP address does not match the resolved DNS host name (or could not be reverse lookup resolved) then a warning is logged.

Solution 3

From the manpage of sshd_config(5):

 UseDNS  Specifies whether sshd(8) should look up the remote host name and
         check that the resolved host name for the remote IP address maps
         back to the very same IP address.  The default is “yes”.

Enabling this makes access from a location without proper (forward and reverse) DNS generate a warning in the logs.

So this doesn't prevent any attack except that it would need some qualified remote address of the client in order not to log any warning. Such a warning may help you in tracing down the attacker only if that PTR record makes any sense.

^{edit: updated according to comment of Andrey Voitenkov.}

Solution 4

It is needed when you use FROM option in an authorized_keys file and you want to filter by names and not just IPs.

The FROM option in a line of an authorized_keys file allows you to limit hosts that can use a specific key.
This increases the ability of managing multiple servers that have access to each other without allowing clones of a machine to impersonate it's origin, usually unintentionally (leftover crontabs, human error).

Solution 5

I'd like to add that on CentOS 7 (7.1.1503) and hence Red Hat Enterprise Linux 7, I was unable to log in with the default setting of yes for UseDNS. After uncommenting and setting it to no, I was able to log in. Thus it appears that one can indeed be denied service if DNS is not working correctly! In CentOS 6, it appears the default is no and hence I can ssh in with no functioning DNS!

I'd like to add that my experimentation was on LXC containers and not physical machine, in case that makes a difference!

View more solutions

114,192

user368507

Updated on September 18, 2022

Comments

user368507 over 1 year

I know what it does, but I don't know why. What attack(s) does it prevent?

Is it relevant for all kind of authentication methods? (hostbased, password, publickey, keyboard-interactive ...)
- Admin almost 10 years
  
  I added one to CoreOS also here: github.com/coreos/bugs/issues/92
Andrey Voitenkov over 11 years

Why would it make access impossible? sshd just generates warning if DNS A/PTR records do not match. Logon sequence will be slow in case of resolving problems.
user368507 over 11 years

So, UseDNS is relevant only for hostbased authentication ? If i don't use hostbased auth and i don't care if hostname or IP show up in logs, UseDNS makes no difference ?
Gilles 'SO- stop being evil' over 11 years

@user368507 Yes, that's it. UseDNS isn't even useful if you use key-based host authentication, only if you use hostname-based host authentication (i.e. extremely weak authentication).
0xC0000022L about 10 years

Up up upvote ... this is more useful, because it contains a piece of information I was looking for.
ColinM about 8 years

Similarly if UseDNS is no then hostnames cannot be matched in pam_access rules and IPs must be used instead.
kara deniz about 8 years

@Gilles of course, if you use key-based and hostname-based authentication, UseDNS is very much useful, and critical. You authenticate a user based on key, and the server based on hostname, assigned to a MAC address.
Alecz over 6 years

This does prevent access if the authorized key has been compromised as long as the attacker cannot spoof the values in the from= field before the authorized key in question (if used).
dannysauer over 6 years

RedHat (in RHEL7) just recently changed the default to No as well, which breaks hostname-based access controls (which are useful as mostly advisory controls on an intranet, obviously not as the sole access control mechanism).