# [SOLVED]Can SSH to IPs but not to the host names

## ArsDangor

Hello, world

My DNS resolution is working all right, but I can't SSH to any machines on the Internet if I use their host names. I have no problems at all when using their IP addresses, and I can surf the web with no problems at all with Firefox and Konqueror. However, if I try to SSH, I get:

```

$ ssh -x -l me host.name

ssh: Could not resolve hostname host.name: Name or service not known

```

Of course, it works if I use the IP address:

```

$ host-woods host.name

host.name          CNAME   canonical.host.name

canonical-host.name        A       1.2.3.4

canonical-host.name        A       1.2.3.5

canonical-host.name        A       1.2.3.6

$ ssh -l me 1.2.3.4

me@1.2.3.4's password:

# And I log in

```

Logging into a canonical host name instead of the DNS alias doesn't work either. The only applications that cause problems are SSH and youtube-dl. Everything else seems to be working. And I don't really have access to any DNS servers other than my router or my ISP's servers.

I am using openssh 5.2_p1-r2, with these USE flags:

```

 + + X         : Adds support for X11

 - - X509      : Adds support for X.509 certificate authentication

 - - hpn       : Enable high performance ssh

 - - kerberos  : Adds kerberos support

 - - ldap      : Add support for storing SSH public keys in LDAP

 - - libedit   : Use the libedit library (replacement for readline)

 + + pam       : Adds support PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip

 - - pkcs11    : Enable PKCS#11 smartcard support

 - - selinux   : !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur

 - - skey      : Enable S/Key (Single use password) authentication support

 - - smartcard : Enables smartcard support

 - - static    : !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically

 + + tcpd      : Adds support for TCP wrappers

```

As I saw it on other posts:

```

$ cat /etc/hosts

# IPv4 and IPv6 localhost aliases

127.0.0.1       localhost

::1             localhost

192.168.3.2     starwars

192.168.1.1     router

192.168.3.4     Misato

192.168.3.6     Ritsuko

 $ cat /etc/resolv.conf

nameserver 192.168.1.1

$ cat /etc/host.conf

order hosts, bind

multi off

```

Any ideas of what can be wrong?

Thanks.

EDIT: I forgot to mention: I used to have nscd enabled. If I stop it, I still can browse the Internet, but then the error from SSH and youtube-dl changes to "Temporary failure in name resolution".

----------

## forkbomb

```
$ host-woods host.name

host.name          CNAME   canonical.host.name 
```

My bind is a bit rusty, but if the name of your domain record file is host.name, then host.name is a domain. You can't CNAME a domain name to a host name. EDIT: Well, at least as far as I remember and based on how I'm reading the question...

----------

## ArsDangor

Sorry if I wasn't clear. I am really using the host name, I was just trying to express that the host name is aliased and it doesn't affect to the results. Will change to canonical-host.name so that it's clearer.  :Smile: 

----------

## forkbomb

 *ArsDangor wrote:*   

> Sorry if I wasn't clear. I am really using the host name, I was just trying to express that the host name is aliased and it doesn't affect to the results. Will change to canonical-host.name so that it's clearer. 

 

Oh, OK. Disregard, then. I misread the question.  :Smile: 

----------

## scherz0

Hi ArsDangor,

I assume that this is not a shared library issue.  Here are a few ideas :

does it work using a name defined in /etc/hosts ?

if you have access to the dns server log, have you checked that ssh does any query ?

if you don't have access to the dns log, have you tried to dump the network traffic (check for dns queries/answers) ?

have you tried to strace ssh ?

----------

## ArsDangor

scherz0, thanks a lot for your answer.

 *Quote:*   

> does it work using a name defined in /etc/hosts ? 

 It does

 *Quote:*   

> if you have access to the dns server log, have you checked that ssh does any query ? 

 I don't.

 *Quote:*   

> if you don't have access to the dns log, have you tried to dump the network traffic (check for dns queries/answers) ?

 I did. I used tshark (wireshark's command-line tool), to get the following:

```
 60.593110  192.168.1.4 -> 192.168.1.1  DNS Standard query A host.name

 60.593169  192.168.1.4 -> 192.168.1.1  DNS Standard query AAAA host.name

 60.612973  192.168.1.1 -> 192.168.1.4  DNS Standard query response A host.name

 60.616601  192.168.1.1 -> 192.168.1.4  DNS Standard query response

 60.616701  192.168.1.4 -> 192.168.1.1  DNS Standard query A host.name

 60.616740  192.168.1.4 -> 192.168.1.1  DNS Standard query AAAA host.name

 60.634298  192.168.1.1 -> 192.168.1.4  DNS Standard query response

 60.634430  192.168.1.4 -> 192.168.1.1  DNS Standard query A host.name

 60.634470  192.168.1.4 -> 192.168.1.1  DNS Standard query AAAA host.name

 60.639848  192.168.1.1 -> 192.168.1.4  DNS Standard query response A 1.2.3.4

 60.652880  192.168.1.1 -> 192.168.1.4  DNS Standard query response A 1.2.3.4

 60.656779  192.168.1.1 -> 192.168.1.4  DNS Standard query response

 60.656852  192.168.1.4 -> 192.168.1.1  DNS Standard query A host.name

 60.656889  192.168.1.4 -> 192.168.1.1  DNS Standard query AAAA host.name

 60.675330  192.168.1.1 -> 192.168.1.4  DNS Standard query response A 1.2.3.4

 60.677650  192.168.1.1 -> 192.168.1.4  DNS Standard query response

```

 *Quote:*   

> have you tried to strace ssh ? 

 I just have.

It shows the queries and the replies, (it's just too long to paste it here). Also, I see no errors from "sendto" or "recvfrom" calls. It just discards the results for no apparent reason...

Unless someone finds something better, I'll try to re-compile SSH with softer CFLAGS. Not that they are too aggressive, anyways.

Thanks.

----------

## malern

Could be an IPv6 issue. You can force ssh to only do IPv4 DNS lookups by adding "AddressFamily inet" to /etc/ssh/ssh_config. It's not really a long term solution, but it might help you narrow down the problem.

----------

## xtz

Hm, it seems like you have response to an A query... which means that the address is resolved with IPv4... However, if ssh first tries with an AAAA (IPv6) and doesn't receive a reply, it may decide that the name does not exist and not wait for the IPv4 reply. I've seen similar situations, solved by disabling IPv6. If you don't plan to use IPv6 at all, maybe it's better to include "-ipv6" in the USE flags in /etc/make.conf.

----------

## ArsDangor

malern and xtz, THANKS!! That solved my problem. I run ssh -o AddressFamily=inet <host> and it worked!

I already added it to my /etc/ssh/ssh_config, as my ISP is pure IPv4 and my work is also pure IPv4... Now I have to figure out what's wrong with youtube-dl, but that's less important.

----------

