Thread: sshd delayed response on FBSD 8.1
View Single Post
  #3   (View Single Post)  
Old 5th April 2011
J65nko J65nko is offline
Administrator
  
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,131
Default
The following commented tcpdump output illustrates these name lookups

Legenda
Code:
192.168.222.20  : hercules.utp.xnet, the workstation
192.168.222.244 : vintrax.utp.xnet, the server
192.168.222.10  : parmenides.utp.xnet, the local nameserver for the
                  private utp.xnet domainp
A ssh TCP connection has been set up. hercules uses source port 15021, to connect to vinrtrax on port 22:

Code:
1:02:55.432719 192.168.222.20.15021 > 192.168.222.244.22:
 P 1102:1166(64) ack 1726 win 16384 <nop,nop,timestamp 519684114 2254674010> (DF)
vintrax now fires off a reverse name lookup (a PTR query) for the 192.168.222.20.
Note the reversal of the IP address and the addition of the "in-addr.arpa" domain.

Here like in the ssh connection, the source port is a randomly chosen port >1023 and the destination port is the standard service port , here DNS and thus port 53.

Code:
21:02:55.433758 192.168.222.244.19667 > 192.168.222.10.53:
 55256+ PTR? 20.222.168.192.in-addr.arpa. (45)
The answer of the local nameserver : "192.168.222.20 is hercules.utp.xnet"

Code:
21:02:55.434535 192.168.222.10.53 > 192.168.222.244.19667:
 55256 1/0/0 PTR hercules.utp.xnet. (76)
The server is still not satisfied. A little bit of paranoia, is a part of a healthy security awareness.
So it issues another lookup, but now a normal lookup, name to IP address.
In DNS terminology, it asks for the A record. :

Code:
21:02:55.434911 192.168.222.244.33933 > 192.168.222.10.53:
 64914+ A? hercules.utp.xnet. (35)
The answer of the local nameserver:

Code:
21:02:55.435436 192.168.222.10.53 > 192.168.222.244.33933:
 64914 1/0/0 A 192.168.222.20 (51)
And then the ssh session continues ....

Code:
21:02:55.437138 192.168.222.244.22 > 192.168.222.20.15021:
   P 1726:1806(80) ack 1166 win 33304 <nop,nop,timestamp 2254674010 519684114> (DF)
21:02:55.437382 192.168.222.20.15021 > 192.168.222.244.22:
   P 1166:1694(528) ack 1806 win 16384 <nop,nop,timestamp 519684114 2254674010> (DF)
The server is doing, what is named a double reverse name lookup
First is the lookup IP -> name, the second one, a name -> IP lookup.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote