slow ssh and ssl ... dns problem?
Kevin Darcy
kcd at daimlerchrysler.com
Tue Jun 28 22:55:27 UTC 2005
Brad Knowles wrote:
>At 12:33 PM -0400 2005-06-06, Duane Winner wrote:
>
>
>
>> Starting 3 days ago, suddenly it seemed to take a very, very, verly long
>> time for ssh and ssl communications to negotiate between nodes on my
>> network.
>>
>> I have 3 subnets:
>>
>> a LAN (10.10.0.0/16)
>> a DMZ (10.20.0.0/16)
>> a secured subnet for databases (10.30.0.0/16)
>>
>>
>
> The problem is almost certainly reverse DNS for your networks.
>These are RFC-1918 addresses, and while there is a project to serve
>bogus reverse DNS data for them (so that the root nameservers don't
>get buried with this traffic), but if your nameservers can't contact
>those machines, you're going to have problems.
>
> A better solution is to set up your own reverse DNS for your IP
>addresses, so that you're not dependant on these external servers for
>your internal DNS.
>
Moreover, I think it should be a Best Practice for *all* organizations
to define *all* of the reverse zones corresponding to the RFC 1918
ranges, i.e. 10.in-addr.arpa. 168.192.in-addr.arpa and the 16 zones from
16.172.in-addr.arpa through 31.172.in-addr.arpa. The purpose is to block
reverse lookups for mistyped and/or misconfigured addresses from being
forwarded to Internet nameservers. Organizations would still, of course,
be free to delegate *beneath* one or more of those higher-level zones,
for maintainability, to optimize replication traffic, or any other
reason they see fit...
- Kevin
More information about the bind-users
mailing list