From 90a32fb8fa3838e4f1a3a30f04d22ba065b31c9e Mon Sep 17 00:00:00 2001
From: veilor-org <admin@veilor.org>
Date: Sun, 3 May 2026 15:41:15 +0100
Subject: [PATCH] =?UTF-8?q?v0.5.16:=20sshd=20UseDNS=20no=20=E2=80=94=20fix?=
 =?UTF-8?q?=20banner=20timeout=20on=20NAT/slirp?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 overlay/etc/ssh/sshd_config.d/10-veilor-hardening.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/overlay/etc/ssh/sshd_config.d/10-veilor-hardening.conf b/overlay/etc/ssh/sshd_config.d/10-veilor-hardening.conf
index 9fd8d8c..44302d7 100644
--- a/overlay/etc/ssh/sshd_config.d/10-veilor-hardening.conf
+++ b/overlay/etc/ssh/sshd_config.d/10-veilor-hardening.conf
@@ -14,3 +14,8 @@ LoginGraceTime 30
 MaxAuthTries 3
 MaxSessions 4
 LogLevel VERBOSE
+# UseDNS off: reverse-lookup-on-connect adds 30s+ delay per connection
+# when client DNS doesn't resolve back-references (NAT, slirp, dynamic
+# IPs). Hardening doesn't benefit from the lookup either way; sshd
+# still logs the IP, just not the (possibly forged) PTR.
+UseDNS no