10 Replies Latest reply on Jan 13, 2009 10:28 PM by 843811

    How to suppress reverse DNS lookup?

    843811
      When a client SSLSocket connects to the server, then after the SYN, SYN/ACK, ACK handshake the next thing you see on the wire is an attempt to resolve the domain name of the server (as detailed in several previous threads).

      The servers I'm wanting to talk to don't have DNS names, and don't have NetBIOS names and don't have hosts file entries, and I connect to them by specifying the IP address. So what we see is first a failed attempt to do a DNS lookup, then a failed repeated attempt to do a NetBIOS name lookup, during which time some higher level application protocol times out the connection attempt.

      All previous threads I can find on this subject end up with resolutions such as "make sure the server's name can be looked up by DNS" or "put the server's name and address in the hosts file", neither of which solution is useful to me.

      So my question is: How do I stop Java doing these name lookups?

      (As an additional question, just out of idle curiousity: what's it doing the name lookup for anyway?? It can't be to verify that the server name embedded in the certificate is the same as the domain name found by the name lookup for at least two reasons:

      (a) it's doing the name lookup long before it's managed to acquire a certificate from the server

      (b) if I arrange (via the hosts file) that the looked up name is not the same as the domain name in the server certificate then the connection succeeds anyway.)
        • 1. Re: How to suppress reverse DNS lookup?
          843811
          I have just encountered the same problem. Took some time to find out why the SSL connection times out during the handshake.

          The question would be "How do I make the Sun JSSE implementation not do those forward and reverse name lookups?"

          I don't know whether other SSL implementations have the same behaviour or are more configurable. Still, worth a look I guess.
          • 2. Re: How to suppress reverse DNS lookup?
            843811
            I have customers hitting this exact same issue. They are unwilling to put the host names within DNS or host files due to security constraints/policies. Unless there is a way to suppress the reverse lookups, I'll have to just wait for the timeout. I'll need to explain to them that it's a Sun problem that is not avoidable.

            Since these are fortune 500 customers (current/potential Sun customers) and I really like Sun, it would be desirable to avoid this situation.

            Could someone from Sun please respond?

            thanks,
            Mike Morgan
            • 3. Re: How to suppress reverse DNS lookup?
              843811
              as far as I know, there is no security reason for doing the reverse lookup.
              • 4. Re: How to suppress reverse DNS lookup?
                EJP
                I believe the reverse lookup is performed deep in the Java SecurityManager, not JSSE.
                • 5. Re: How to suppress reverse DNS lookup?
                  843811
                  I do not have a SecurityManager installed.
                  • 6. Re: How to suppress reverse DNS lookup?
                    EJP
                    sorry, deep in the Sockets code.

                    Apart from whatever reason obtains there, the security reason for performing a reverse DNS lookup in SSL forms part of hostname verification.
                    • 7. Re: How to suppress reverse DNS lookup?
                      843811
                      ejp wrote:

                      ...the security reason for performing a reverse DNS lookup in SSL forms part of hostname verification.
                      Seems wrong to me. DNS lookups, reverse or otherwise, have no role in either TLS/SSL or HTTP over TLS, according to the RFCs. Furthermore, even if the reverse DNS lookup results in a different hostname, if the rfc2818 hostname checking is performed correctly the connection is secure. The reverse lookup is just another vector for DoS attacks since DNS itself is not secure.
                      • 8. Re: How to suppress reverse DNS lookup?
                        843811
                        I found a different site that appears to have an answer for this, although I have not yet tried it:

                        http://www.velocityreviews.com/forums/showpost.php?p=2959030&postcount=8

                        Does that help?
                        • 9. Re: How to suppress reverse DNS lookup?
                          843811
                          I created a solution to this a while ago, please forgive me for not posting sooner.

                          I posted a comment on [this bug report|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4939977] to explain how to get around Java causing reverse DNS lookup on SSL connections. Note that my solution might have side effects, so use with care...
                          • 10. Re: How to suppress reverse DNS lookup?
                            843811
                            Here's the stack trace of at least one instance where Sun is doing a reverse lookup:
                            build 1.6.0-b105

                            java.lang.Thread.State: RUNNABLE
                            at java.net.Inet4AddressImpl.getHostByAddr(Native Method)
                            at java.net.InetAddress$1.getHostByAddr(InetAddress.java:853)
                            at java.net.InetAddress.getHostFromNameService(InetAddress.java:533)
                            at java.net.InetAddress.getHostName(InetAddress.java:476)
                            at java.net.InetAddress.getHostName(InetAddress.java:448)
                            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.getHost(SSLSocketImpl.java:1700)
                            at com.sun.net.ssl.internal.ssl.Handshaker.getHostSE(Handshaker.java:198)
                            at com.sun.net.ssl.internal.ssl.ClientHandshaker.getKickstartMessage(ClientHandshaker.java:833)
                            at com.sun.net.ssl.internal.ssl.Handshaker.kickstart(Handshaker.java:538)
                            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.kick
                            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1028)
                            at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:621)
                            at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
                            at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
                            at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)