I am still seeing connections to the DNS server when I am doing SSH connections on my LAN. This is what I have done to try to fix it:

GSSAPIAuthentication no in sshd_config
UseDNS no in sshd_config
SSHD_OPTS=-u0 in /etc/default/ssh

I cannot express how troublesome SSH has been in setting my network up properly. It is the most unconfigurable software out there.

Because OpenDNS really needs to be aware of exactly how many SSH connections I have open and exactly what I am doing. Very secure.

More people need to crack open a network analyzer and get to work on securing their networks. The idea that this popular software is "leaking" connections and the options literally do nothing is very troubling.

Why even post this? I fix all my own problems anyway. I already know I am going to have to change the SSH server to one that obeys the user's commands. I could even use telnet secured with Stunnel or no Stunnel at all since it is on a separate VLAN on a local network. But in case someone has a fix I am all ears. Someone please give me a fix here so I do not have to spend ever more time on this.

SSH and DNS are totally different. One does not impact the other except that ssh may need to use dns services to get an ip address if the connection is being made to a hostname instead of directly to the IP address of that host.

Saying that dns needs to know how many ssh connections you have is fubar. Dns does not care anything about connections, it only responds by sending an IP in response to a query by host name.

For example, if you try to make a connection with 'ssh user@hostname' then ssh sends a query to the dns server asking 'what is the ip of hostname'. Dns returns the ip address and ssh then connects to that IP by substituting so the command is effectively 'ssh user@IP'. This is the only way those 2 services interact.

That is not a 'leakage' but is instead a feature that is built into almost everything that allows access to the internet or local network.

Almost all you use on the network requires dns access.

UseDNS already is set to "no" by default for the server. As mentioned in #2 above, your client will look up target host names.

Which system are you seeing contacting DNS when initiating an SSH connection, the client or the server?

yes, dns and ssh are two independent things. But when you execute the command: ssh hostname this hostname will be checked in a dns server anyway. This is not ssh, but how the network works. What do you want to achieve?
DNS will not manage ssh connections at all (and has no any idea about any kind of open connections).

I don't really understand what do you mean by leaking connection. Also ssh is a very popular software used by a really huge amount of people and machines, any kind of vulnerabilities will be fixed as soon as possible. If you think you find a problem you need to report it. But first you need to explain what do you mean by that.

I had some time to address this problem.

First of all, this is a kind of leak because an outside party does not need to know about what you are doing on your internal network. It is not a "full" leak that causes a loss of custody of private data but it is concerning.

The OpenSSH people are not responsive to user problems so things like this do not get addressed. We are not the cryptograhic professionals remember.

I was suprised to see that Dropbear SSH server did the exact same thing with unnecessary DNS connections.

The best way to handle this since this is a server that operates off of IP with really no need for DNS is this:
sudo iptables -A OUTPUT -p udp --destination-port 53 -j DROP
This quiets my monitors down and makes me happy.

I did not get around to using lsh, WolfSSH, telnet-ssl, telnet with stunnel, regular telnet, or nc.

It is unclear whether you mean that it is the client or the server which is doing the lookups. Without that information, no solution is possible. Blocking outgoing 53 for UDP won't block DNS lookups, it also works over TCP. Furthermore, blocking DNS will break a lot of important tools you really need, like NTP.

Can you review the posts above and double check to ensure that you have answered the clarifying questions posed in regards to this thread?

I have run a local nameserver on my internal network, and used DNSMASQ to cache external lookups. It increases security, slightly improves speed, and reduces DNS traffic going external to my local network.

I think you are obsessing over nothing, but in case you have a real problem this is a real solution.

Sorry if I was unclear. It is definitely the server doing the lookups and the problem is definitely sufficiently worked around with the iptables trick. There are no more outbound DNS connections after this. I still have the OpenSSH settings applied above so that may play into it. You may have a point on NTP so I will have to see how that works.

DNSmasq may be a solution also. I am not sure it is obsessing if the program is supposed to be totally secure but does unnecessary things which could lead to an insecure situation. As I have said before I am having to put my foot down on this network and I am not going to accept behavior which is counter to what I want to see.