Ubuntu SSH UseDNS Setting Explained

This article explains the purpose of the UseDNS setting in the Ubuntu Linux SSH server configuration (sshd_config). It covers how this setting functions, its impact on connection speeds and security, and how to configure it to optimize your server’s performance.

The UseDNS directive in the OpenSSH server configuration controls whether the SSH daemon (sshd) performs reverse and forward DNS lookups on the connecting client’s IP address. By default, this setting is often enabled (yes) in many Linux distributions, including older versions of Ubuntu, though it is frequently disabled by administrators to resolve login latency.

How UseDNS Works

When a client attempts to connect to an Ubuntu SSH server with UseDNS enabled, the server performs the following steps: 1. Reverse DNS Lookup: The server takes the client’s incoming IP address and queries the DNS server to find the hostname associated with that IP. 2. Forward DNS Lookup: Once the server gets the hostname, it performs a forward DNS lookup to translate that hostname back into an IP address. 3. Verification: The server checks if the resulting IP address matches the original client IP address.

If the IPs match, the server logs the hostname instead of just the IP address, and can use this hostname for restriction rules defined in configuration files like /etc/hosts.allow and /etc/hosts.deny.

The Purpose and Use Cases

Historically, the primary purpose of UseDNS was security and logging.

• Hostname-Based Access Control: It allows administrators to restrict SSH access based on domain names rather than static IP addresses.
• Detailed Logging: It ensures that system logs (like /var/log/auth.log) record the hostname of the connecting client, making audit trails easier to read.
• Spoofing Prevention: It attempts to detect basic IP spoofing by verifying that the pointer (PTR) record matches the forward A record.

Why Administrators Disable UseDNS

In modern network environments, UseDNS is frequently set to no because of the performance issues it can cause.

If the DNS servers configured on the Ubuntu host are slow, misconfigured, or unreachable, the double DNS lookup process will time out. This results in a noticeable delay (often 10 to 30 seconds) when a user tries to log in via SSH, during which the terminal appears to hang before prompting for a password or key.

Furthermore, modern SSH security relies on cryptographic keys and robust firewall rules rather than DNS-based hostname verification, making the security benefits of UseDNS negligible for most setups.

How to Configure UseDNS in Ubuntu

To disable this setting and speed up SSH connections, you can modify the SSH daemon configuration file:

1. Open the configuration file with administrative privileges:

   sudo nano /etc/ssh/sshd_config

2. Locate the line containing UseDNS. If it is commented out with a # or set to yes, change it to:

   UseDNS no

3. Save the file and exit the editor.

4. Restart the SSH service to apply the changes:

   sudo systemctl restart ssh