Skip to content

Override the JVM DNS cache policy #36570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Dec 13, 2018
Merged

Override the JVM DNS cache policy #36570

merged 7 commits into from
Dec 13, 2018

Conversation

@jasontedor
Copy link
Member

@jasontedor jasontedor commented Dec 12, 2018

When a security manager is present, the JVM will cache positive hostname lookups indefinitely. This can be problematic, especially in the modern world with cloud services where DNS addresses can change, or environments using Docker containers where IP addresses could be considered ephemeral. This behavior impacts cluster discovery, cross-cluster replication and cross-cluster search, reindex from remote, snapshot repositories, webhooks in Watcher, external authentication mechanisms, and the Elastic Stack Monitoring Service. The experience of watching a DNS lookup change yet not be reflected within Elasticsearch is a poor experience for users. The reason the JVM has this is guard against DNS cache posioning attacks. Yet, there is already a defense in the modern world against such attacks: TLS. With proper certificate validation, even if a resolver falls prey to a DNS cache poisoning attack, using TLS would neuter the attack. Therefore we have a policy with dubious security value that significantly impacts usability. As such we make the usability/security tradeoff towards usability, since the security risks are very low. This commit introduces new system properties that Elasticsearch observes to override the JVM DNS cache policy.

@jasontedor
Override the JVM DNS cache policy
d057d3c 
When a security manager is present, the JVM will cache positive hostname
lookups indefinitely. This can be problematic, especially in the modern
world with cloud services where DNS addresses can change, or
environments using Docker containers where IP addresses could be
considered ephemeral. This behavior impacts cluster discovery,
cross-cluster replication and cross-cluster search, reindex from remote,
snapshot repositories, webhooks in Watcher, external authentication
mechanisms, and the Elastic Stack Monitoring Service. The experience of
watching a DNS lookup change yet not be reflected within Elasticsearch
is a poor experience for users. The reason the JVM has this is guard
against DNS cache posioning attacks. Yet, there is already a defense in
the modern world against such attacks: TLS. With proper certificate
validation, even if a resolver falls prey to a DNS cache poisoning
attack, using TLS would neuter the attack. Therefore we have a policy
with dubious security value that significantly impacts usability. As
such we make the usability/security tradeoff towards usability, since
the security risks are very low. This commit introduces new system
properties that Elasticsearch observes to override the JVM DNS cache
policy.
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 12, 2018

Pinging @elastic/es-core-infra

@jasontedor
Copy link
Member Author

jasontedor commented Dec 12, 2018

@elasticmachine run gradle build tests 1

pickypg
pickypg reviewed Dec 12, 2018
View reviewed changes
pickypg
pickypg approved these changes Dec 12, 2018
View reviewed changes
Copy link
Member

@pickypg pickypg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jasontedor
Copy link
Member Author

jasontedor commented Dec 13, 2018

@elasticmachine run gradle build tests 1
@elasticmachine run gradle build tests 2

@jasontedor
Copy link
Member Author

jasontedor commented Dec 13, 2018

@elasticmachine test this please

@jasontedor jasontedor merged commit 2afa7fa into elastic:master Dec 13, 2018
jasontedor added a commit that referenced this pull request Dec 13, 2018
@jasontedor
Override the JVM DNS cache policy (#36570)
7c3dcec 
When a security manager is present, the JVM will cache positive hostname
lookups indefinitely. This can be problematic, especially in the modern
world with cloud services where DNS addresses can change, or
environments using Docker containers where IP addresses could be
considered ephemeral. This behavior impacts cluster discovery,
cross-cluster replication and cross-cluster search, reindex from remote,
snapshot repositories, webhooks in Watcher, external authentication
mechanisms, and the Elastic Stack Monitoring Service. The experience of
watching a DNS lookup change yet not be reflected within Elasticsearch
is a poor experience for users. The reason the JVM has this is guard
against DNS cache posioning attacks. Yet, there is already a defense in
the modern world against such attacks: TLS. With proper certificate
validation, even if a resolver falls prey to a DNS cache poisoning
attack, using TLS would neuter the attack. Therefore we have a policy
with dubious security value that significantly impacts usability. As
such we make the usability/security tradeoff towards usability, since
the security risks are very low. This commit introduces new system
properties that Elasticsearch observes to override the JVM DNS cache
policy.
@jasontedor jasontedor deleted the override-dns-cache-policy branch December 13, 2018 16:08
@jasontedor
Copy link
Member Author

jasontedor commented Dec 15, 2018

Thanks for reviewing @pickypg and @spinscale.

@jasontedor jasontedor mentioned this pull request Dec 20, 2018
Closed
@DaveCTurner DaveCTurner mentioned this pull request Feb 3, 2019
Closed
@jasontedor jasontedor mentioned this pull request Feb 26, 2019
Merged
@jasontedor jasontedor mentioned this pull request Mar 8, 2019
Closed
sebgl added a commit to sebgl/cloud-on-k8s that referenced this pull request Jun 10, 2019
@sebgl
Remove JVM DNS cache policy tweaks
645d330 
Since we only support Elasticsearch 6.8+ and 7.1+, we have the following
commit already there in Elasticsearch:
elastic/elasticsearch#36570.

Hence we do not need to duplicate the fix manually into our own JVM
security options file.

Since there is now no need for this "default config map" volume in the
pod (only used for the jvm security options file so far), this commit
also removes it.
@sebgl sebgl mentioned this pull request Jun 10, 2019
Merged
sebgl added a commit to elastic/cloud-on-k8s that referenced this pull request Jun 10, 2019
@sebgl
Remove JVM DNS cache policy tweaks (#1033)
7073d16 
* Remove JVM DNS cache policy tweaks

Since we only support Elasticsearch 6.8+ and 7.1+, we have the following
commit already there in Elasticsearch:
elastic/elasticsearch#36570.

Hence we do not need to duplicate the fix manually into our own JVM
security options file.

Since there is now no need for this "default config map" volume in the
pod (only used for the jvm security options file so far), this commit
also removes it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spinscale spinscale spinscale approved these changes

@pickypg pickypg pickypg approved these changes

Assignees

No one assigned

Labels

:Core/Infra/Core Core issues without another label >enhancement release highlight v6.6.0 v7.0.0-beta1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jasontedor @elasticmachine @spinscale @pickypg @colings86