Chris Waugh wrote:
> The problem I'm observing is that if you telnet/FTP from the local
> segment the daemons wake immediately and you get a login: or name:
> prompt in under half a second.
>
> If you telnet or FTP from a remote network the login: or name: prompt
> takes 2 minutes or more to appear.
This is occuring because either a reverse DNS lookup or an ident
request is timing out. In either case, the problem is with the client,
and not the server.
For reverse DNS requests, the client's reverse DNS has to be
configured correctly.
There doesn't actually have to be a reverse DNS entry for the client.
However, the nameserver(s) to which the corresponding in-addr.arpa
domain has been delegated must either be reachable, or attempts to
contact them must receive a definite rejection (a RST or an ICMP
destination unreachable error).
If DNS requests simply disappear into the void, the server will wait
until the query times out.
The usual reason for ident requests timing out is that there is a
firewall in between which is silently discarding the packets (rather
than sending a RST or ICMP destination unreachable).
On Linux, a DNS query takes 155 seconds to time out, whilst an ident
(or other TCP connection) takes 189 seconds.
If it's a DNS timeout, running `strace -p <pid>' on the telnetd/ftpd
process will show a sendto() to port 53. If it's an ident timeout,
`netstat -t' will show a connection to port 113 (auth) in the SYN_SENT
state.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
