SSH to a server with multiple reverse DNS entries

Question

While SSHing into my server with an RSA key, I get this message:

Address 255.100.236.105 ¹ maps to a1.example.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

Even though I get this error, I am still able to SSH into the machine.

I examined the DNS and figured out the issue. This server has lots of vhosts, so we have multiple A records for the same IP address.

For example:

A a1.example.com 255.100.236.105
A ssh.example.com 255.100.236.105

(there are a few more that point to the same IP)

I am trying to SSH to ssh.example.com, and I am getting the above error. How do I get SSH to realize that the IP has multiple domain names that point to it?

NOTE: I can't ssh to a1.example.com because that subdomain is going through CloudFlare's proxy.

UPDATE: I tested this on two computers. One gave me that error, one did not. Why would that be?

_{¹ This is a fake IP, I made up. I'm not sure if it really points anywhere.}

Possible duplicate of [sshd warning, “POSSIBLE BREAK-IN ATTEMPT!” for failed reverse DNS](http://serverfault.com/q/436913/152073). — Andrew B, May 02 '13 at 15:53
Have you tried adding the reverse DNS entry for ssh.example.com to your hosts file, since DNS looks there first? — NickW, May 02 '13 at 15:56
@NickW: Yeah, I guess I could do that. I just hope our IP address never changes :-) — gen_Eric, May 02 '13 at 15:58
@NickW: That did get rid of the error :-D I guess that's a good solution :-) — gen_Eric, May 02 '13 at 15:59

NickW · Accepted Answer · 2013-05-02T16:58:43.263

1

If you put the reverse DNS name for ssh.example.com in your hosts file, that will usually be the first response returned by DNS.

edited May 02 '13 at 16:58

answered May 02 '13 at 16:04

NickW

10,183
1
18
26

1

Entries in `/etc/hosts` will not "always" be the first response returned by DNS. Specifically, if `dns` is before `hosts` in `/etc/nsswitch.conf` your resolver should return the DNS result (if one exists) before ever looking at the hosts file. In any case, this is a pretty dirty hack: the *Right Thing* would be to fix the broken reverse DNS (or disable the DNS check if you really don't care). – voretaq7 May 02 '13 at 16:52
1

This is a dirty hack, but how would he set up multiple RDNS entries for the same IP to always return the correct answer? I'll change the always though. – NickW May 02 '13 at 16:59
@voretaq7: So, how do I fix the DNS? I have multiple A names for the same IP. – gen_Eric May 02 '13 at 17:05
1

@RocketHazmat You make the PTR record match the hostname you SSH into, and you always SSH into the machine with that specific hostname. Or you disable the reverse DNS check. – voretaq7 May 02 '13 at 17:24
@voretaq7: The server has `UseDNS no`. And it doesn't seem like CloudFlare lets me set PTR records. – gen_Eric May 02 '13 at 17:49

SSH to a server with multiple reverse DNS entries

1 Answers1