I wanted to write a brief note on this since it’s a fairly wide spread problem that I’ve encountered when supporting Java-based applications (despite the problem I much prefer supporting Java-based apps than any other language at this point by leaps and bounds).
The problem is with a really, really stupid default setting with regards to DNS caching set in the java.security file. It’s an old setting, I recall first coming across it I want to say in 2004 or 2003 even. But it’s still a default even today, and some big names out there apparently are not aware or do not care because I come across this issue from a client perspective on what feels like a semi regular basis.
I’ll let the file speak for itself:
# # The Java-level namelookup cache policy for successful lookups: # # any negative value: caching forever # any positive value: the number of seconds to cache an address for # zero: do not cache # # default value is forever (FOREVER). For security reasons, this # caching is made forever when a security manager is set. When a security # manager is not set, the default behavior in this implementation # is to cache for 30 seconds. # # NOTE: setting this to anything other than the default value can have #Â Â Â Â Â Â serious security implications. Do not set it unless #Â Â Â Â Â Â you are sure you are not exposed to DNS spoofing attack. # #networkaddress.cache.ttl=-1
If your experienced with DNS at all you can probably tell right away the above is a bad default to have. The idea that you open yourself to DNS spoofing attack is just brain dead I’m sorry. You may be very well opening yourself to DNS Spoofing attacks by caching those responses. I think to a recent post of mine related to the Amazon cloud, specifically their Elastic Load Balancers – as terrible as they are they also by-design change IP addresses at random intervals. Sometimes resulting in really bad things happening.
“Amazon Web Services’ Elastic Load Balancer is a dynamic load-balancer managed by Amazon. Load balancers regularly swapped around with each other which can lead to surprising results; like getting millions of requests meant for a different AWS customer.
Swapping IPs at random is obviously heavily dependent upon all portions of DNS resolution operating perfectly. Ask anyone experienced with DNS what they do when they migrate from one IP to another and you’ll very likely hear them say they keep the old IP active for X number of DAYS or WEEKS regardless of their DNS TTL settings because some clients or systems simply don’t obey them. This is pretty standard practice. When I moved that one company out of Fisher Plaza (previous post) to the new facility I stuck a basic Apache proxy server in the old data center for a month forwarding all requests to the new site (other things like SMTP/DNS was handled by other means).
Java takes it to a new level though I’ll admit that. Why that is a default is just, well I really don’t have words to answer that.
Fortunately Amazon EC2 customers have another solution considering how terrible ELB is, they can use Zeus (oh sorry I meant Stingray). I’ve been using it for the past 7-8 months and it’s quite nice, easy to use, very flexible and powerful much like a typical F5 or Citrix load balancer (much easier to manage than Citrix). It even integrates with EC2 APIs – it can use an elastic IP to provide automatic fail over (fails over in 10-20 seconds if I recall right, much faster than any DNS-based system could). Because of the Elastic IP the IP of the load balancer will never change. The only real downside to Zeus is it’s limited to a single IP address (not Zeus’ fault this is Amazon limitation). So you can only do one SSL cert per Zeus cluster, the costs can add up quick if you need lots of certs, since the cost of Zeus is probably 5-10x the cost of ELB (and worth every stinking penny too).
Oh that and the Elastic IP is only external (another Amazon limitation – you may see a trend here – ELB too has no static IP internally). So if you want to load balance internal resources say web server 1 talking to web server 2, you either have to route that traffic out to the internet and back in, or to the internal IP of the Zeus load balancer, and manually update the configuration if/when the load balancer fails over because the internal IP will change. I was once taught a long time ago everything behind a VIP. Which means extensive use of internal load balancing for everything from HTTP to HTTPS, to DNS to NTP to SMTP – everything. With the Citrix load balancers we’ve extended our intelligent load balancing to MySQL since it has native support for MySQL now (not aware of anyone else that does – Layer 4 load balancing doesn’t count here).
[…] Networks' SoftAX in EC2, in addition to Riverbed Stingray. Amazon's own Elastic Load Balancer is worse than useless in my experience. I'd rather rely on an external DNS-based load balancing from the likes of Dynect than use ELB. […]
Pingback by New Cloud provider Profitbricks « TechOpsGuys.com — December 18, 2012 @ 11:04 am