Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A possible fix for slow SSH and Safari domain issues Internet
For the most part, this hint applies to Tiger only, but there may be aspects of it surrounding ssh and connections in general that are good for pre-Tiger as well.

First, lets start with the slow SSH logins. As you may be aware, the Apple Discussion Forums has been getting a little noise about this problem, where ssh'ing into remote machines takes an unusually long amount of time. Between that and other sites, there are several posts where people have this problem, along with varying solutions

I have seen this issue pop up on the openSSH mailing list, and google groups as well, so it is getting more and more attention. Of all the workarounds, none worked for me at all, I was averaging 45 second connection times to servers over ssh. The only constant was Tiger. Linux and pre Tiger had no such problems. If you read the links, you will find varying solutions from editing configuration files to creating local entries in /etc/hosts. Again, none worked for me.

I was starting to get down and dirty and poking around in tcpdump to see what was really going on. It appears a massive amount of DNS lookups are happning, in general, I was seeing 30 or more lookups to get to the final host, where DNS was traversing every hostname and every reverse of that hostname looking for a response. In my case, Comcast just does not like to reply for reverse DNS at all.

I am leaning on it being related to problems with IPv6, cheaper home style routers, and certain ISP's that are not playing nice with reverse DNS and IPv6, though I can not be 100% sure. I can say that one way to resolve it, is for me to use my own DNS server at my collocation facility, which I know is configured correctly and can handle the lookups. I was not entirely happy to do this as I like to use my connection ISP's DHCP supplied DNS so I know I am getting to sites that everyone else is getting to.

With the background on that slow SSH issue explained, there is also a new problem many are having with Safari. You used to be able to type in "domain", where domain may be "macosxhints", "apple", "amazon" etc, and Safari was smart enough to start looking up the .com, then .net versions of those sites ... generally taking you to the first hit. A number of people, myself included, were ending up at pages that had nothing to do with the site we were used to arriving at. There definitely seems to be a trend in this affects Comcast users the most, but it also affects others as well.

Finally, I started poking around in TCP/IP settings and wanted to know what the heck the "Search Domains" field was for. For the first time in my life, I decided to use Apple Help and it found a result... Here is what it has to say:
You can use search domains to avoid typing the complete address of Internet domains you use frequently. The search domains you enter in your Network preferences are automatically appended to names you type in Internet applications. For example, if you specify the search domain apple.com, typing "store" in your web browser takes you to store.apple.com. Or, if you use campus.university.edu as a search domain, you can type "server1" in the Finder's Connect To Server dialog to connect to server1.campus.university.edu.
And that is the solution to all my problems, and the basis of this hint. Simply enter in .com as the search domain, and click "Apply Now". For me, that cured my Safari issues and my slow SSH issues.

Some people may already have something in that field; I notice that Airport Admin Utility, on some networks, auto fills it in with .com or sometimes the ISP's host name. In those cases, I am betting those are the lucky users who are not affected by this. Others not affected would include those with smarter routers, ie: not a Linksys sub-$100.00 product, those with control of their own DNS, and of course, those who are sitting in just the right phase with the moon.

If anything, this should keep Safari from dropping you into domain registrar page holder sites. For me, though, it was a two-fold solution and fixed my slow SSH issues as well
    •    
  • Currently 3.33 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[27,296 views]  

A possible fix for slow SSH and Safari domain issues | 11 comments | Create New Account
Click here to return to the 'A possible fix for slow SSH and Safari domain issues' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
openSSH changed in tiger
Authored by: SOX on Jun 22, '05 11:58:16AM

in Tiger, if you want to do any fancy X11 windows you now need to use:
ssh -Y
in place of
ssh -X

normal X11 stuff is unaffected but things that use openGL or fancy stuff have to be run with the -Y option. this used to be the default but it silently chaged between panther and tiger.

Note the reason for the change is that it's a minor security hole. When you use -Y you are declaring the computer sending the graphics is trust worthy and you dont mind if it were to say capture your key strokes or read your screen. In most cases the remote machine is your own computer and you trust it. If the remote machine is shared with hostile users, then think twice.



[ Reply to This | # ]
openSSH changed in tiger
Authored by: jvl001 on Jun 22, '05 04:42:21PM

If you are experiencing very slow logins (>30s) then it is likely a DNS reverse-lookup issue.
If you are experiencing slow, but not too slow, logins (~6s) and you use X11 forwarding then it is likely xauth holding things up.
(You can see exactly where the pause is by using 'ssh -vvv remotehost'.)

To switch to trusted X11 forwarding, you can permanently alter your /etc/ssh_config file as root. Thus you can avoid constantly using the -Y or -X option. You can even specify the style of X11 authentication by remote host name:

# Example /etc/ssh_config file
# Example of trustworthy hosts (with wildcards)
Host trusty.host.com *.remote.net host???.somewhere.com
ForwardX11Trusted yes
# Example of X11 forwarding but without trust (for all other hosts)
Host *
ForwardX11 yes





[ Reply to This | # ]
openSSH changed in tiger
Authored by: BobHarris on Sep 06, '05 05:27:09PM

This trick also works if you are a Tarantella user.

http://tarantella.com

Our company uses Tarantella to get faster cross country X-Windows performance (I'm in New Hampshire, and my test system is in Texas).

With Mac OS X 10.3 (Panther), tarantella was fast. But then I upgraded to Tiger, and performance was worst than a regular X-Windows connection.

I had figured out that Tarantella was using ssh, but I could not modify the binary to use ssh -Y when making a connection from my workstation to the test system.

When I added ForwardX11Trusted to my PowerMac's $HOME/.ssh/config my Tarantella performance returned.

Bob harris



[ Reply to This | # ]
A possible fix for slow SSH and Safari domain issues
Authored by: voxmea on Jun 22, '05 01:01:49PM

This worked for me as well!!!!!!!!!!!

Thank you, thank you, thank you.

Slow ssh has been awful.



[ Reply to This | # ]
A possible fix for slow SSH and Safari domain issues
Authored by: emarmite on Jun 22, '05 03:15:29PM

I've experienced this problem too but in a slightly different way.

Comcast sets my search domain as ha1.ca.comcast.net, yet the issue I'm seeing is that '.net' gets added to the end of any domain it couldn't find.

One really scary effect of this was that when I attempted to connect to my office Windows PC via Remote Desktop Protocol, .net got added to the end of the URL and I found myself at a working RDP Windows 2003 server (address 70.85.43.36). My user ID and password were automatically submitted to this machine. I was rather concerned this box was put there simply to gather passwords (what's the chance of a random machine you are misconnected to is running the correct protocol on an open port?) and had to immediately go change my Windows passwords.

Another weird effect was this comcast search domain seemed to 'leak' through even when I manually set them on my router ($30 Netgear RIP614v2), Apple Airport base station and my powerbook. So I'd set some other domain and as long as I use DHCP to get an IP from Comcast, it's still appearing in my /etc/resolv.conf as a search domain.

Final weirdness: looking up domain names using host, dig & nslookup, the .net is not added. But using ping or Microsoft RDP, the .net is magically added. This hint gets me closer to understanding why.

The only solution for me was to manually set my DNS servers to point somewhere else (Verizon 4.2.2.1, 4.2.2.2, etc.). This stopped the issue right away.

Comcast were useless: they told me to flush my cache....

Ironically, I moved house very near to upgrading Tiger and so assumed it was a Comcast only fault, not a Tiger one. Undoubtedly though, they are doing some wacky stuff to 'catch' broken URL requests and it's not helping.



[ Reply to This | # ]
A possible fix for slow SSH and Safari domain issues
Authored by: player9 on Jun 22, '05 05:15:16PM

I was having disconnects in Safari and Firefox and checked my Netgear Router and noticed that it did not have my ISP DNS IP Addresses. I added those in there and in Network Preferences, I added my router's IP as the DNS and that fixed my internet connection. In Panther this worked fine with my ISP DNS Servers in Network Preferences, but for some reason, Tiger's DNS is not the same.



[ Reply to This | # ]
search domains
Authored by: ptwithy on Jun 22, '05 05:37:28PM

Each search domain you add can slow down lookups. If you add a search domain of:

foo.bar.bletch

and enter zot as an address, then lookup will try:

zot.foo.bar.bletch
zot.bar.bletch
zot.bletch

Many browsers have their own search they layer on top of this, by trying

zot.com
www.zot.com
zot.net
www.zot.net
zot.org
www.zot.org

If the nameserver you talk to is slow about giving negative replies, you can waste a lot of time trying all these combinations.



[ Reply to This | # ]
A possible fix for slow SSH and Safari domain issues
Authored by: genericuser on Jun 22, '05 05:50:27PM

Not sure about the Safari issue (it is slow for me, too), but my fix for ssh slowness was to follow some recommendations and get a replacement version off ssh via fink, which (along with other ssh's I've used on other unix systems) doesn't seem to get hung up on the reverse lookup thing. Just something screwy about the version OS X is using...



[ Reply to This | # ]
This hint is way too long.
Authored by: avramd on Jun 23, '05 07:57:46AM

This hint really only needs to be one paragraph. All of the stuff about how the author arrived at the conclusion isn't a hint. It belongs in a blog somewhere, or in a discussion, not in the hint.



[ Reply to This | # ]
A possible fix for slow SSH and Safari domain issues
Authored by: RoscoP on Jul 27, '05 06:09:30PM

This was fixed immediately by adding the DNS from my ISP manually in the network settings.

Apparently my router sends out DHCP with it's IP as being the DNS server. This isn't a problem for my PC, nor my Mac for that matter, except it some how seems to mess up SSH login. Anyway, by manually putting the DNS (from the ISP) in the network settings for ethernet, ssh login went from 45s+ to <5s.



[ Reply to This | # ]
Issues with Safari being Slow to Connect
Authored by: bellipses on Mar 21, '07 06:04:53AM

I was having problems with Safari taking a long time to connect to every site, even if I had just recently visited it. The Status Bar would say "Connecting to somedomain.com..." while it was taking its time. It only seems to be slow at home, where I'm using a D-Link wireless router to connect to the Internet via DSL. I had recently changed to a new ISP, Primus Canada.

The solution provided by RoscoP (great name btw) seemed to do the trick for me. I added my ISP's DNS to my Airport settings and it's now humming along very quickly.

Hope this helps someone else too...



[ Reply to This | # ]