Home / ubuntu / Questions / 149540
Accepted
0xC0000022L
Asked: 2012-06-12 10:31:46 +0800 CST

host is able to resolve a hostname, ssh isn't

  • 772

I'm trying to connect from a 10.04 system to a 12.04 system via SSH. Strangely enough the rules in resolv.conf seem to take effect only selectively, which leaves me puzzled. Observe:

[2] user@mach:~$ ssh pangolin
ssh: Could not resolve hostname pangolin: Name or service not known
[2] user@mach:~$ host pangolin
pangolin.subdomain.domain.tld has address 172.16.7.12

subdomain.domain.tld is on the search line in /etc/resolv.conf and using host the name is properly searched given those rules. However, with the SSH client ssh I receive the error reproduced above. How can this be? I was always of the impression that the name resolution rules in resolv.conf apply system-global.

Note: /etc/hosts doesn't declare the name pangolin at all. The package openssh-server is configured on the target machine. The question is purely about why name resolution isn't consistent between those two programs.

Another note: the command works fine when I enter the fully-qualified domain name, i.e. pangolin.subdomain.domain.tld.

Meanwhile I rebooted the client machine (10.04) and the problem still exists. A DNS caching daemon isn't installed, so I reckon that shouldn't have been a problem anyway.

The information asked for in the comment:

$ grep host /etc/nsswitch.conf
hosts:          files dns

/etc/resolv.conf, I transformed the domain names consistently:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 172.16.1.1
nameserver 172.16.1.5
search subdomain.domain1.com domain1.com domain2 domain3.com domain2.ccTLD domain3.net dev.domain1.com sdk.dev.domain1.com

... and the full /etc/nsswitch.conf:

$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

... and /etc/network/interfaces, which is the source for resolv.conf in 12.04:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 172.16.1.234
        netmask 255.255.0.0
        gateway 172.16.255.254
        dns-nameservers 172.16.1.1 172.16.1.5
        dns-search domain1.com. domain2. domain3.com. domain2.ccTLD. domain3.net. dev.domain1.com. sdk.dev.domain1.com. subdomain.domain1.com.
        dns-domain subdomain.domain1.com.

Note: the transformation of the domain names was done with sed, so it's consistent between the various reproduced files.

There is no ~/.ssh/config, but here's the global one (/etc/ssh/ssh_config), shrunk for the sake of brevity:

$ grep -v '^#' /etc/ssh/ssh_config |grep -v '^[[:space:]]*$'
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no

$ mtr pangolin
Name or service not known: Success
12.04

6 Answers

  1. Best Answer

    Whereas ssh and other programs such as ping use the glibc resolver to look up the host name ('pangolin' in this case), host looks the name up in DNS directly, bypassing the glibc resolver. That's the difference.

    However, given that the glibc resolver is, on your machine, configured to try dns after files, I can't explain why the resolver fails where host succeeds.

    To try with the glibc resolver, one can use getent hosts ... in place of host ....

    I have seen this behavior reported before when dnsmasq was used as a local forwarding nameserver (https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/998712) but you aren't using such a local nameserver; but perhaps the problem there and here wasn't in dnsmasq but in the glibc resolver.

    • 12

  2. Your ssh may try to resolve IP6 and time out doing this. If you are not using IP6 try disabling IP6 in /etc/ssh/ssh_config by changing AddressFamily from any to inet.

    • 10

  3. i got this error by putting a domain entry line before the 2 nameserver lines by accident. nslookup worked. wget worked. ssh, scp, rsync failed.

    moving domain to below nameservers and saving resolv.conf fixed. nothing else was necessary for me.

    • 4

  4. I've come across this a couple of times, and it always throws me until I remember the six domain restriction on the search list in resolv.conf.

    • 3

  5. I know that this is an ancient question, but I'll add in what worked for me.

    I had the same issue and found that in my nsswitch.conf, there was mdns in addition to files and dns. Removing mdns4 resolved this issue for me.

    • 3

  6. I was facing trouble accessing my sftp server. The ftp user was not able to loggin to sftp from another server. (Solaris - Openssh). I commented the "dns" entry in the nsswitch.conf and the issue resolved.

    • -1