diff --git a/overlay/etc/ssh/sshd_config.d/10-veilor-hardening.conf b/overlay/etc/ssh/sshd_config.d/10-veilor-hardening.conf
index 9fd8d8c..44302d7 100644
--- a/overlay/etc/ssh/sshd_config.d/10-veilor-hardening.conf
+++ b/overlay/etc/ssh/sshd_config.d/10-veilor-hardening.conf
@@ -14,3 +14,8 @@ LoginGraceTime 30
 MaxAuthTries 3
 MaxSessions 4
 LogLevel VERBOSE
+# UseDNS off: reverse-lookup-on-connect adds 30s+ delay per connection
+# when client DNS doesn't resolve back-references (NAT, slirp, dynamic
+# IPs). Hardening doesn't benefit from the lookup either way; sshd
+# still logs the IP, just not the (possibly forged) PTR.
+UseDNS no