java
Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 20-01-2009, 11:15
kjkoster kjkoster is offline
Forum Operator
 
Join Date: Jul 2008
Posts: 1,124
Default Java's DNS cache behaviour

Dear All,

Working on making Java-monitor more robust against DNS outage issues gave me some insight into Java's DNS caching behaviour. The default caching behaviour may seem nice at first, but is has some serious ramifications for long-running processes, such as the ones we are dealing with.

Regardless of whether you use Java-monitor, you may want to take a few minutes to consider the DNS cache behaviour that your application is using.

Java 1.6 introduced a change to the default DNS caching behaviour. The default value for networkaddress.cache.ttl changed from -1 (cache forever) to a system-dependent value, but only if you have no security manager installed. The idea was for this to work as a robustness against DNS cache poisoning.

Default DNS cache behaviour for Java 1.4 and Java 1.5, taken from the API documentation of java.net.InetAddress.

networkaddress.cache.ttl (default: -1)
Indicates the caching policy for successful name lookups from the name service. The value is specified as as integer to indicate the number of seconds to cache the successful lookup. A value of -1 indicates "cache forever".
networkaddress.cache.negative.ttl (default: 10)
Indicates the caching policy for un-successful name lookups from the name service. The value is specified as as integer to indicate the number of seconds to cache the failure for un-successful lookups. A value of 0 indicates "never cache". A value of -1 indicates "cache forever".
Default DNS cache behaviour for Java 1.6, taken from the API documentation of java.net.InetAddress.

networkaddress.cache.ttl
Specified in java.security to indicate the caching policy for successful name lookups from the name service.. The value is specified as as integer to indicate the number of seconds to cache the successful lookup. A value of -1 indicates "cache forever". The default behavior is to cache forever when a security manager is installed, and to cache for an implementation specific period of time, when a security manager is not installed.
networkaddress.cache.negative.ttl (default: 10)
Indicates the caching policy for un-successful name lookups from the name service. The value is specified as as integer to indicate the number of seconds to cache the failure for un-successful lookups. A value of 0 indicates "never cache". A value of -1 indicates "cache forever".
The most important change is that the default behaviour for networkaddress.cache.ttl. That is now set to 30 seconds.

Personally, I don't understand why one would cache for just a few seconds. That means that you almost never take anything from the cache. I am also disappointed to learn that I cannot plug in my own cache implementation programatically. That would allow me to easily fall back to previously cached and even expired DNS entries in case a DNS server dies.

To read more on Java's DNS cache policy, have a look at this discussion about LimeWire's problems with Java's DNS cache. Granted, LimeWire is an extreme case, because it deals with massive number of peer hosts. It still shows how a quick cache thrown into the code may grow out of proportion if you are not careful.

I used the following code to print out that the default of networkaddress.cache.ttl is 30 seconds for for my JDK 1.6. This is Sun-specific code. It's just to get a peek at the internals, so that's ok. JUst don't use it in your production environment. :-)
Code:
public class Foo {
    public static void main(String[] args) {
        System.out.println(sun.net.InetAddressCachePolicy.get());
    }
}
Please notice that changing the values for these settings is not straightforward. They are security properties, not regular system properties. You can find how to set them in this discussion, at the bottom of the page.

I am looking forward to hear from you what values you guys use for networkaddress.cache.ttl and networkaddress.cache.negative.ttl.

Kees Jan
Reply With Quote
  #2  
Old 15-02-2010, 15:29
mik047 mik047 is offline
Junior Member
 
Join Date: Feb 2010
Posts: 2
Default

Thanks for the post...

i have one problem with these settings... I have a web-application running under tomcat using java 1.6. My application requires that none of the dns lookup results are cached and it should be always a fresh request to the respective dns server. So i set both networkaddress.cache.ttl and networkaddress.cache.negative.ttl to 0 but somehow the application still does not get the updated mx records...

I try digging from command line on the same machine and get the updated records but from application i fail to get the updated records.

Any clue on what am i missing?

Thanks in advance!
Reply With Quote
  #3  
Old 15-02-2010, 15:57
kjkoster kjkoster is offline
Forum Operator
 
Join Date: Jul 2008
Posts: 1,124
Default

Hi mik047,

How did you set the values precisely?

Also note that *some* DNS caching is a good thing, because your app needs to survive DNS outages too. Switching all caches off just makes for one brittle application.

Kees Jan
Reply With Quote
  #4  
Old 15-02-2010, 16:38
mik047 mik047 is offline
Junior Member
 
Join Date: Feb 2010
Posts: 2
Default

my comments inlined....

Quote:
Originally Posted by kjkoster View Post
Hi mik047,

How did you set the values precisely?

>>> in file java.security, i set the respective properties to be 0.

Also note that *some* DNS caching is a good thing, because your app needs to survive DNS outages too. Switching all caches off just makes for one brittle application.

>>> i agree but since the application was caching the results, i wanted to test with no caching and then setting it to some reasonable value.

Kees Jan
Reply With Quote
  #5  
Old 27-02-2010, 20:38
kjkoster kjkoster is offline
Forum Operator
 
Join Date: Jul 2008
Posts: 1,124
Default

Dear mik047,

If you install the Java-monitor probe, you can see the DNS cache policy that was set and from what source. You can either user JConsole and have a look at the mbean named com.javamonitor:type=DNSCachePolicy or you can look on the host page for that host in Java-monitor and click on "see all measurements" and then search for com.javamonitor:type=DNSCachePolicy. That would tell you what the cache policy is that you run with, plus what that value was configured in.

Kees Jan
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump