Development of complex distributed Java EE systems quite often involves integration with multiple downstream systems. Such system business service(s) can be exposed via HTTP or other protocols, Internet facing or secured within its own private network zone. The most common approach is to centralize the platform access via a front door DNS (Domain Name System) name. When supporting a Java EE production system, it is important to understand the JDK DNS management; especially its default caching policy.
This article will provide you an overview and comparison matrix of the DNS cache policy between JDK 1.4, 1.5 and 1.6 and how you can override the default behaviour when necessary.
Default DNS cache policy and DNS spoofing attack
The default JDK DNS cache policy TTL (time to live) value is -1 (caching forever). You may wonder why as this can cause some problems when network DNS re-pointing changes are required, forcing any Java client to shutdown and restart its JVM / Java EE server.
The main reason for this default behaviour is security. As mentioned in Sun documentation, no DNS caching or any positive value below 30 seconds could expose your environment to DNS spoofing attack; especially for Internet facing Java EE environments vs. applications deployed within a secured and private network zone.
A DNS spoofing attack is an attempt by an attacker to fool a DNS server and re-point a specific DNS entry to a different IP (hacker IP). The DNS server then remains “poisoned” until it refreshes its cache. This means all Java InetSocketAddress DNS lookup requests to the effected DNS Server during that time period will also be “poisoned“ and return an unexpected / hacked IP address.
Now find below the default DNS cache behavior between the different JDK versions and override methods.
Now find below the default DNS cache behavior between the different JDK versions and override methods.
DNS cache override and JDK comparison matrix
JDK 1.4 & 1 .5
|
JDK 1.6, 1.7 & 1.8
| |
Default value
|
-1 (caching forever)
*JVM restart required to flush the DNS cache
|
30 secs (When a security manager is not set)
-1 (When a security manager is set)
* DNS Cache is refreshed every 30 seconds
|
Editable
|
yes
|
yes
|
Default
Value Printing
|
System.out.println("DEFAULT DNS TTL: "+sun.net.InetAddressCachePolicy.get());
|
System.out.println("DEFAULT DNS TTL: "+sun.net.InetAddressCachePolicy.get());
|
Override
Option #1
|
<JDK_HOME>/jre/lib/security/java.security
#networkaddress.cache.ttl=-1
* Uncomment the above parameter and change as per your desired positive value
in seconds
|
<JDK_HOME>/jre/lib/security/java.security
#networkaddress.cache.ttl=-1
* Uncomment the above parameter and change as per your desired positive value
in seconds
|
Override
Option #2
|
* Execute the code below on JVM start-up
java.security.Security.setProperty
("networkaddress.cache.ttl" , TTL_SECS);
// TTL_SECS represents your configured TTL value
|
* Execute the code below on JVM start-up
java.security.Security.setProperty
("networkaddress.cache.ttl" , TTL_SECS);
// TTL_SECS represents your configured TTL value
|
Java reference classes
|
sun.net.InetAddressCachePolicy
|
sun.net.InetAddressCachePolicy
|
