You can disable reverse DNS lookups for all incoming telnet connections by putting this as the first uncommented line in /etc/hosts.allow
in.telnetd: ALL
You can also be more selective, and cause the reverse lookups only to happen for certain hosts:
in.telnetd: 137.22.
The reason that reverse DNS lookups
are being done at all is that the TCP Wrappers
are trying to find out if access is allowed, and will collect what information they need to determine this - the ALL: PARANOID
rule in /etc/hosts.deny
denies access to machines without a resolvable DNS address, so if the wrappers get that far in determining whether or not to grant access, a reverse DNS query will be generated. The suggested lines in /etc/hosts.allow
let the tcp wrappers decide to give a host telnet access before getting to that rule, so a reverse DNS query is never necessary.
For SSH
Edit /etc/ssh/sshd_config
file and add following option:
UseDNS no
In order to remove dns lookups completely, you have to use -u0
options when starting sshd server. You can easily add this options to /etc/default/ssh
or /etc/sysconfig/sshd
or elsewhere suitable for your distribution.
Notes:
Reverse DNS lookups are not made by telnetd but by tcpd
.
man tcpd
HOST NAME VERIFICATION
The authentication scheme of some protocols (rlogin, rsh)
relies on host names. Some implementations believe the
host name that they get from any random name server; other
implementations are more careful but use a flawed algo
rithm.
tcpd verifies the client host name that is returned by the
address->name DNS server by looking at the host name and
address that are returned by the name->address DNS server.
If any discrepancy is detected, tcpd concludes that it is
dealing with a host that pretends to have someone elses
host name.