Don't cache resolved hostnames forever

[clintongormley]

Today we use InetAddress to represent IP addresses. InetAddress handles the work of resolving hostnames from DNS and from the local hosts file.

With the security manager enabled, successful hostname lookups are cached forever to prevent spoofing attacks. I don't know if this behaviour was different before the security manager was enabled, but it seems unlikely given issues such as #10337 and #14441.

It would be a useful improvement to be able to specify unicast hosts as hostnames which are looked up from DNS or hosts, then if the IP addresses change and the node need to reconnect to the cluster, it can just do a fresh lookup to gather the current IPs. Similar logic would help the clients.

If we make this change, it should be configurable (otherwise we're introducing the chance for spoofing) and we should consider the impact on hostname verification of ssl certs.

Testing this change would be hard...

[danielmitterdorfer]

The DNS cache of a Java process is handled by the property networkaddress.cache.ttl. Quoting Oracle Docs:

Specified in java.security to indicate the caching policy for successful name lookups from the name service.. The value is specified as integer to indicate the number of seconds to cache the successful lookup.

A value of -1 indicates "cache forever". The default behavior is to cache forever when a security manager is installed, and to cache for an implementation specific period of time, when a security manager is not installed.

[danielmitterdorfer]

As per the Oracle documentation on policy files the above-mentioned property (and maybe also the related property networkaddress.cache.negative.ttl (for failed DNS lookups)) have to be specified in a file called java.security. This file is located in $JRE_HOME/lib/security and the settings there are system-wide.

It is possible to provide an application-specific java.security file that overrides the system-wide defaults by adding the system property -Djava.security.properties=$CUSTOM_SECURITY_FILE and specifying application-specific overrides there but this is only possible if the property security.overridePropertiesFile is set to true in $JRE_HOME/lib/security/java.security (the default is true). So in case an administrator disables this, we won't be able to override the system-wide setting.

I wonder whether we should just point users to the Oracle documentation on how to change the DNS cache lifetime system-wide because I am not sure whether they want to configure different (Java) DNS cache lifetimes for different applications on the same machine anyway. Wdyt @clintongormley?

[clintongormley]

@danielmitterdorfer I'd be happy with just adding this documentation. Is there anything we need to change code-wise as well? Or perhaps just adding tests to ensure that the documented solution works?

[clintongormley]

Also related to #10337 and logstash-plugins/logstash-output-elasticsearch#131 and #11256

[miah]

We run all our jvms with this configuration. We also only pass hostnames to
ES via command arguments at startup. When we roll out new instances on aws
ES never refreshes the hosts IPs via DNS lookups.

Would appreciate if somebody else could verify that it works as expected
because it doesn't seem to in our environment.
On Feb 13, 2016 3:33 AM, "Clinton Gormley" notifications@github.com wrote:

@danielmitterdorfer https://github.com/danielmitterdorfer I'd be happy
with just adding this documentation. Is there anything we need to change
code-wise as well? Or perhaps just adding tests to ensure that the
documented solution works?

—
Reply to this email directly or view it on GitHub
#16412 (comment)
.

[danielmitterdorfer]

@clintongormley I would just point users to the Oracle documentation and not add any tests for two reasons:

1. This is a configuration that is purely related to the JVM and nothing of this is Elasticsearch specific
2. It is a global change so the JDK configuration has to change in every environment where the tests are run.

[danielmitterdorfer]

@miah I have created a small demo program to verify that everything works as expected (source code as gist). In addition, I've set these values in my java.security in the JRE/lib directory:

networkaddress.cache.ttl=10
networkaddress.cache.negative.ttl=-1

When you look at the demo source code, you'll see that we query for one existing host ("www.google.com") and for one non-existing one ("www.this-does-not-exist.io"). My expectation is that we see DNS requests every 10 seconds for the existing host and only one for the non-existing one when we periodically clear the OS DNS cache.

When you invoke the demo program as described in the gist and open tcpdump (I did sudo tcpdump -vvv -s 0 -l -n port 53) and periodically clear the DNS cache (depending on your OS) you'll see the expected behavior (my environment is Mac OS X 10.11):

Output from the application:

14:04:10
www.google.com => 173.194.39.18
14:04:15
www.google.com => 173.194.39.18
14:04:20
www.google.com => 173.194.39.18
14:04:25
www.google.com => 173.194.39.18
14:04:30
www.google.com => 173.194.39.18
14:04:35
www.google.com => 173.194.39.18

Output from tcpdump:

tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Packet Tap), capture size 262144 bytes
14:04:10.592232 IP (tos 0x0, ttl 255, id 64876, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.103.60113 > 192.168.1.1.53: [udp sum ok] 60929+ A? www.google.com. (32)
14:04:10.592301 IP (tos 0x0, ttl 255, id 6814, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.103.58959 > 192.168.1.1.53: [udp sum ok] 36807+ AAAA? www.google.com. (32)
14:04:10.624765 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 140)
    192.168.1.1.53 > 192.168.1.103.60113: [udp sum ok] 60929 q: A? www.google.com. 5/0/0 www.google.com. [4m48s] A 173.194.39.20, www.google.com. [4m48s] A 173.194.39.18, www.google.com. [4m48s] A 173.194.39.17, www.google.com. [4m48s] A 173.194.39.16, www.google.com. [4m48s] A 173.194.39.19 (112)
14:04:10.625961 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 88)
    192.168.1.1.53 > 192.168.1.103.58959: [udp sum ok] 36807 q: AAAA? www.google.com. 1/0/0 www.google.com. [4m54s] AAAA 2a00:1450:4005:800::1010 (60)
14:04:10.695845 IP (tos 0x0, ttl 255, id 17766, offset 0, flags [none], proto UDP (17), length 72)
    192.168.1.103.49957 > 192.168.1.1.53: [udp sum ok] 27956+ A? www.this-does-not-exist.io. (44)
14:04:10.695942 IP (tos 0x0, ttl 255, id 63692, offset 0, flags [none], proto UDP (17), length 72)
    192.168.1.103.51379 > 192.168.1.1.53: [udp sum ok] 47751+ AAAA? www.this-does-not-exist.io. (44)
14:04:10.727572 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 141)
    192.168.1.1.53 > 192.168.1.103.49957: [udp sum ok] 27956 NXDomain q: A? www.this-does-not-exist.io. 0/1/0 ns: io. [19m14s] SOA ns1.communitydns.net. nicadmin.nic.io. 1455538915 3600 1800 3600000 3600 (113)
14:04:10.728133 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 141)
    192.168.1.1.53 > 192.168.1.103.51379: [udp sum ok] 47751 NXDomain q: AAAA? www.this-does-not-exist.io. 0/1/0 ns: io. [19m14s] SOA ns1.communitydns.net. nicadmin.nic.io. 1455538915 3600 1800 3600000 3600 (113)
14:04:20.733510 IP (tos 0x0, ttl 255, id 51420, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.103.58825 > 192.168.1.1.53: [udp sum ok] 11803+ A? www.google.com. (32)
14:04:20.733566 IP (tos 0x0, ttl 255, id 13172, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.103.60441 > 192.168.1.1.53: [udp sum ok] 14292+ AAAA? www.google.com. (32)
14:04:20.737039 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 140)
    192.168.1.1.53 > 192.168.1.103.58825: [udp sum ok] 11803 q: A? www.google.com. 5/0/0 www.google.com. [4m38s] A 173.194.39.19, www.google.com. [4m38s] A 173.194.39.16, www.google.com. [4m38s] A 173.194.39.17, www.google.com. [4m38s] A 173.194.39.18, www.google.com. [4m38s] A 173.194.39.20 (112)
14:04:20.737435 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 88)
    192.168.1.1.53 > 192.168.1.103.60441: [udp sum ok] 14292 q: AAAA? www.google.com. 1/0/0 www.google.com. [4m44s] AAAA 2a00:1450:4005:800::1010 (60)
14:04:30.748453 IP (tos 0x0, ttl 255, id 17598, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.103.55087 > 192.168.1.1.53: [udp sum ok] 1167+ A? www.google.com. (32)
14:04:30.748806 IP (tos 0x0, ttl 255, id 29531, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.103.60394 > 192.168.1.1.53: [udp sum ok] 60974+ AAAA? www.google.com. (32)
14:04:30.754529 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 140)
    192.168.1.1.53 > 192.168.1.103.55087: [udp sum ok] 1167 q: A? www.google.com. 5/0/0 www.google.com. [4m28s] A 173.194.39.20, www.google.com. [4m28s] A 173.194.39.19, www.google.com. [4m28s] A 173.194.39.16, www.google.com. [4m28s] A 173.194.39.17, www.google.com. [4m28s] A 173.194.39.18 (112)
14:04:30.754533 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 88)
    192.168.1.1.53 > 192.168.1.103.60394: [udp sum ok] 60974 q: AAAA? www.google.com. 1/0/0 www.google.com. [4m34s] AAAA 2a00:1450:4005:800::1010 (60)

You see that we query only once for "www.this-does-not-exist.io" but every 10 seconds for "www.google.com". Similarly, you should also see only one DNS request for "google.com" when you set networkaddress.cache.ttl=-1 in java.security.

[danielmitterdorfer]

@miah One more thing: Note that the program runs with the security manager enabled. The JDK implementation behaves differently whether or not a security manager is enabled (see also my comment above with the link to the Oracle docs). As Elasticsearch 3.0 will make security mandatory (#16176) it is a sensible assumption that we assume here too that a security manager is enabled.

[alexbrasetvik]

It would also be nice if the transport client could do the lookups when it connects, instead of just when the client object is created, as IPs can change e.g. when going through a load balancer.

[beiske]

Despite keeping the hostname an InetAdress will never attempt to resolve the ip after it has been created. I think this is a source of confusion for many using the transport client. It is particularly important when connecting to the cloud service. Due to the load balancers even a single node cluster has multiple ip adresses and they may change at any point in time.

@clintongormley Is this issue also relevant for the transport client or should we make a separate issue?

[danielmitterdorfer]

@alexbrasetvik, @beiske: I don't know what @clintongormley thinks about your idea but I think it would be better to create a new ticket for the transport client topic.