MacOS – ssh to non-existent .local name never times out

dnsmacosssh

If I try to connect to a non-existent .local hostname using most utilities, including ping and telnet, it times out after 5 seconds:

% time telnet host.example.local
host.example.local: nodename nor servname provided, or not known
telnet host.example.local  0.01s user 0.01s system 0% cpu 5.018 total

This matches the timeout for the .local config in scutil --dns.

But when I try to ssh to such a hostname, it never times out. (I just Ctrl-C'd one that was still waiting after 16 minutes.) I can't figure out any existing option in any of the ssh_config files that would seem to affect hostname resolution. The only option I see that seems relevant is "CanonicalizeHostname", and it's not configured in any config file, but I manually set it to "no" with no change in behavior. Adding -v flags to ssh doesn't reveal any additional information about hostname resolution beyond the fact that it's "Connecting to host.example.local port 22", which is the last debug line produced.

I tried capturing the MDNS queries for telnet and ssh. It appears to make an initial query, then wait 1s and ask again, then again 3s later, etc., each retry waiting 3 times longer than the last. telnet gave up after three requests (0s, 1s, and 3s), but ssh got up to the seventh request (0s, 1s, 3s, 9s, 27s, 81s, 243s) before I stopped watching.

I can kind of work around the problem by setting ConnectTimeout 5 in ssh_config (even limiting it to *.local), but that breaks if the name resolution completes but the remote ssh server is slow to respond.

How can I get ssh to timeout name resolution in the same manner as other network tools?

Best Answer

Rather than make a bunch of comments, here’s how I would start to corner this. I can’t reproduce this yes, so I might be totally wrong.

First, does ssh using a known bad local IP address time out fast or understandably / reliably?

Second, does the potential (or any) machine show as advertised?

 dns-sd -B _ssh._tcp local

Third, do you have any apple device that’s proxying bonjour sleep wake?

If not, why even try ssh to something that mdns could dig up later or have bonjour sleep proxy trying to keep waking that device. I could see how this longer time-out is by design to allow WOL via sleep proxy and multiple network segments to have a chance to wake your sleeping beautiful Mac.

Related Solutions

MacOS – Do /etc/resolver/ files work in Mountain Lion for DNS resolution

This question seems a bit old, but I'm going to answer it anyways as I had a similar problem:

Yes, this works.

Your first problem is that you obviously have the wrong IP (8.8.8.8 instead of 203.12.160.35) in /etc/resolver/apple.com. Verify that the contents of this file is really:

nameserver 203.12.160.35

Then scutil --dns should have an entry like this:

resolver #8
  domain   : apple.com
  nameserver[0] : 203.12.160.35

The second problem is that you tried to verify it using nslookup which does not use the DNS resolution mechanisms of OS X. If you look at the man page of nslookup you will find this:

Mac OS X NOTICE
   The nslookup command does not use the host name and address resolution or the DNS 
   query routing mechanisms used by other processes running on Mac OS X.  The results of 
   name or address queries printed by nslookup may differ from those found by other
   processes that use the Mac OS X native name and address resolution mechanisms. The 
   results of DNS queries may also differ from queries that use the Mac OS X DNS routing 
   library.

To check your DNS config you could do

dns-sd -G v4 images.apple.com

and verify if it yields the same IP as

nslookup images.apple.com 203.12.160.35

Mountain Lion firewall is randomly delaying DNS requests

You are right. I diagnose the same rate limiting at the firewall level on MacOS X 10.7.4 (Lion).

Moreover, if you look at

/usr/bin/sudo tcpdump -i en0 udp port 53

You will notice that the round trip time to get a reply from 8.8.8.8 is much lower then the 40 msec displayed by the server.

On a long test run I had:

;; Query time: 44 msec

and an average roundtrip time of 26 msec:

09:36:14.360564 IP me.53866 > google-public-dns-a.google.com.domain: 9943+ A? www.google.com. (32)
09:36:14.386302 IP google-public-dns-a.google.com.domain > me.53866: 9943 5/0/0 A 173.194.41.180, A 173.194.41.178, A 173.194.41.176, A 173.194.41.177, A 173.194.41.179 (112)

(386302 - 360564 = 26 msec)

To understand this protection mechanism (against basic DOS), look at:

/usr/bin/sudo pfctl -i en0 -s timeouts

The full documentation of this complex command is pfctl(8) Mountain Lion reference manual

Beware this is a powerfull but highly dangerous command. You may easily break your network access (Where is my backup?).

Best Answer

Related Solutions

MacOS – Do /etc/resolver/ files work in Mountain Lion for DNS resolution

Mountain Lion firewall is randomly delaying DNS requests

Related Question