Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java runtimes using SecurityManagers unpragmatically cache DNS hits *forever* #238

Closed
rtyley opened this issue Jan 16, 2019 · 1 comment · Fixed by #239
Closed

Java runtimes using SecurityManagers unpragmatically cache DNS hits *forever* #238

rtyley opened this issue Jan 16, 2019 · 1 comment · Fixed by #239

Comments

@rtyley
Copy link
Member

rtyley commented Jan 16, 2019
edited
Loading

This is the default behaviour of Java runtimes (in both Java 8 & 11 apparently), defined in the java.security file - they cache DNS hits forever:

# The Java-level namelookup cache policy for successful lookups:
#
# any negative value: caching forever
# any positive value: the number of seconds to cache an address for
# zero: do not cache
#
# default value is forever (FOREVER). For security reasons, this
# caching is made forever when a security manager is set. When a security
# manager is not set, the default behavior in this implementation
# is to cache for 30 seconds.
#
# NOTE: setting this to anything other than the default value can have
#       serious security implications. Do not set it unless
#       you are sure you are not exposed to DNS spoofing attack.
#
#networkaddress.cache.ttl=-1

Although intended as a security measure against DNS-spoofing, it's not very realistic in the AWS-based-world in which we operate - services do change their IP addresses from time to time, and so AWS recommend that a networkaddress.cache.ttl=60 setting be applied.

On the Ophan team @amyhughes & I have seen this result in us losing monitoring data as the Elastic-hosted monitoring cluster changed it's IP without our Elasticsearch nodes noticing- they attempted to continue sending data to the old IP addresses.

Elastic themselves recommend setting networkaddress.cache.ttl appropriately.

See also https://stackoverflow.com/q/1256556/438886

The java.security configuration file

Locating and patching the java.security file is a little fiddly - this is where you find it on today's images:

/etc/java-8-openjdk/security/java.security

Could we bake the updated setting into the AMI role?
@alexduf
Copy link

alexduf commented Jan 16, 2019

I don't know about other teams but on mobile I'd quite like to see that baked in the default image.

maxspencer added a commit that referenced this issue Jan 17, 2019
@maxspencer @rtyley
Fix #238 by stopping the JVM caching DNS lookups forever.
647cc25 
Co-authored-by: Roberto Tyley <roberto.tyley@gmail.com>
@maxspencer maxspencer mentioned this issue Jan 17, 2019
Merged
rtyley pushed a commit that referenced this issue Jan 18, 2019
@maxspencer @rtyley
Fix #238 by stopping the JVM caching DNS lookups forever. (#239)
dd0c8f4 
Fix #238 by stopping the JVM caching DNS lookups forever.

Co-authored-by: Max Spencer <max.spencer@theguardian.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #238 by stopping the JVM caching DNS lookups forever. guardian/amigo
2 participants
@rtyley @alexduf