Why Disabling VerifyHostKeyDNS in SSH is Safer for Production Environments

Secure Shell (SSH) is a fundamental tool for system administrators, DevOps engineers, and developers for managing remote servers securely. However, certain default SSH configurations can introduce security risks if not handled carefully. One such setting is VerifyHostKeyDNS, which determines whether SSH clients should verify host keys via DNS.

In this article, we’ll explore why disabling VerifyHostKeyDNS (VerifyHostKeyDNS no) is often the safer choice, especially in production environments, and provide a step-by-step guide on how to implement this securely.

What is VerifyHostKeyDNS?

The VerifyHostKeyDNS option in SSH determines whether the SSH client should verify the server’s host key using DNS-based SSHFP (SSH Fingerprint) records. When enabled (yes), the SSH client queries the DNS server for SSHFP records to validate the host key before establishing a connection.

Potential Risks of VerifyHostKeyDNS yes

While DNS-based verification might seem like a useful feature, it comes with significant security risks:

• Vulnerable to DNS Spoofing: If an attacker gains control over DNS resolution, they can inject fake SSHFP records, tricking users into connecting to a compromised server.

• DNSSEC Dependency: SSHFP records are only secure when used with DNSSEC, which is not widely implemented. If DNSSEC is not enforced, trusting SSHFP records can be dangerous.

• Bypasses Known Host Key Verification: SSH normally warns users if a host key has changed, but enabling VerifyHostKeyDNS can override this by trusting DNS-provided keys.

• Slower SSH Connections: Each SSH connection will trigger additional DNS lookups, increasing latency and dependency on external network conditions.

Step-by-Step Guide: Disabling VerifyHostKeyDNS for Better Security

To mitigate the risks mentioned above, it’s best to disable VerifyHostKeyDNS and instead rely on the standard SSH host key verification process using ~/.ssh/known_hosts.

Step 1: Modify the SSH Client Configuration

Run the following command to disable VerifyHostKeyDNS in your local SSH client configuration:

echo 'VerifyHostKeyDNS no' >> ~/.ssh/config

Alternatively, you can manually edit the file:

nano ~/.ssh/config

And add the following lines:

Host *

    VerifyHostKeyDNS no

This setting ensures that DNS-based host key verification is disabled for all SSH connections.

Step 2: Modify the Global SSH Client Configuration (Optional)

If you want this change to apply system-wide for all users, modify the global SSH client config:

echo 'VerifyHostKeyDNS no' >> /etc/ssh/ssh_config

Then, restart SSH for the changes to take effect:

systemctl restart ssh

Step 3: Manually Verify SSH Host Keys

Since VerifyHostKeyDNS is now disabled, ensure that you properly verify and store host keys:

First-Time Connection: When connecting to a server for the first time, SSH will prompt:
The authenticity of host 'example-server.com' can't be established.

Are you sure you want to continue connecting (yes/no)?

Verify the Host Key: Compare the provided fingerprint with the expected one.

Accept and Store the Key: If verified, type yes to store it in ~/.ssh/known_hosts.

Conclusion: Should You Disable VerifyHostKeyDNS?

Merits of Disabling VerifyHostKeyDNS

Prevents DNS-based MITM attacks and spoofing.
Avoids dependency on DNSSEC, which is often not properly configured.
Ensures manual host key verification, reducing security risks.
Speeds up SSH connections by eliminating unnecessary DNS lookups.

Demerits of Disabling VerifyHostKeyDNS

❌ Requires manual management of known_hosts, which can be tedious in large infrastructures.
❌ Can cause issues if your organization relies on SSHFP records for automation.

Caution: Proceed at Your Own Risk

If your organization or environment fully supports DNSSEC and SSHFP, enabling VerifyHostKeyDNS may be acceptable. However, for most users, disabling it is the safer option to prevent DNS-based security vulnerabilities.

Would you like assistance setting up an alternative secure SSH key verification method, such as StrictHostKeyChecking? Feel free to ask in the comments.