/ Java DNS Cache Reference Guide ~ Java EE Support Patterns

3.10.2011

Java DNS Cache Reference Guide

Development of complex distributed Java EE systems quite often involves integration with multiple downstream systems. Such system business service(s) can be exposed via HTTP or other protocols, Internet facing or secured within its own private network zone. The most common approach is to centralize the platform access via a front door DNS (Domain Name System) name. When supporting a Java EE production system, it is important to understand the JDK DNS management; especially its default caching policy.

This article will provide you an overview and comparison matrix of the DNS cache policy between JDK 1.4, 1.5 and 1.6 and how you can override the default behaviour when necessary.

Default DNS cache policy and DNS spoofing attack

The default JDK DNS cache policy TTL (time to live) value is -1 (caching forever). You may wonder why as this can cause some problems when network DNS re-pointing changes are required, forcing any Java client to shutdown and restart its JVM / Java EE server.

The main reason for this default behaviour is security. As mentioned in Sun documentation, no DNS caching or any positive value below 30 seconds could expose your environment to DNS spoofing attack; especially for Internet facing Java EE environments vs. applications deployed within a secured and private network zone.

A DNS spoofing attack is an attempt by an attacker to fool a DNS server and re-point a specific DNS entry to a different IP (hacker IP). The DNS server then remains “poisoned” until it refreshes its cache. This means all Java InetSocketAddress DNS lookup requests to the effected DNS Server during that time period will also be “poisoned“ and return an unexpected / hacked IP address.

Now find below the default DNS cache behavior between the different JDK versions and override methods.

DNS cache override and JDK comparison matrix


JDK 1.4 & 1 .5
JDK 1.6 & 1.7
Default value
-1 (caching forever)


*JVM restart required to flush the DNS cache
30 secs (When a security manager is not set)
-1           (When a security manager is set)

* DNS Cache is refreshed every 30 seconds
Editable
yes
yes
Default
Value Printing
System.out.println("DEFAULT DNS TTL: "+sun.net.InetAddressCachePolicy.get());
System.out.println("DEFAULT DNS TTL: "+sun.net.InetAddressCachePolicy.get());
Override
Option #1
<JDK_HOME>/jre/lib/security/java.security

#networkaddress.cache.ttl=-1

* Uncomment the above parameter and change as per your desired positive value
in seconds
<JDK_HOME>/jre/lib/security/java.security

#networkaddress.cache.ttl=-1

* Uncomment the above parameter and change as per your desired positive value
in seconds
Override
Option #2
* Execute the code below on JVM start-up

java.security.Security.setProperty
("networkaddress.cache.ttl" , TTL_SECS);

// TTL_SECS represents your configured TTL value
* Execute the code below on JVM start-up

java.security.Security.setProperty
("networkaddress.cache.ttl" , TTL_SECS);

// TTL_SECS represents your configured TTL value
Java reference classes
sun.net.InetAddressCachePolicy
sun.net.InetAddressCachePolicy


8 comments:

Thank you Anonymous for your comments.

P-H

Thanks Bob,

Please note that I will update this article soon and include the latest JDK 1.7 DNC cache behaviour.

Regards,
P-H

Are you sure override option #2 works? I tested it with a trivial test program and the JVM ignores the setting. Instead it just uses the sun.net.inetaddr.ttl default (30 sec.)

java on ubuntu 11.04:

java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01, mixed mode)

Hi Colin,

Let me re-run a test from my end and I will let you know. In production environments my team is managing, we typically use the override method #1, were you able to test it?

Thanks.
P-H

I have an Open Office 3.1 it said in closing that I needed something else be for I can use it and I forgot it before I the Open Office. Can you help?

Please note that the default TTL value in Java 6 and 7 is not *guaranteed* to be 30 seconds when not using a security manager in *all* implementations. Other JVMs could have other defaults:
http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html#nct

Post a Comment