Java DNS cache 时效
我们知道Java的InetAddress会通过自身的cache缓存dns解析结果。
缓存的策略主要有两种,一种是缓存正确解析后的IP地址,还有一种是缓存解析失败后的状态。
这两种策略的时效配置都在 %JRE%libsecurityjava.security 这个文件里。
TTL=Time to Live
networkaddress.cache.ttl
缓存正常解析后的ip,如果在缓存时效内再次lookup时直接返回缓存结果。
缓存时间:
1,在启用 Javasecurity manager时,是永久缓存。(PS: jboss, tomcat等app server默认不启用 javasecurity manager,资料见这里)
2,不启用的话,默认是缓存30秒。3,缓存时间 设为0的话,表示不缓存,设置-1表示永久缓存,正数表示缓存时间(秒)。
缓存时间的描述可以在 %JRE%libsecurityjava.security 这个文件中找到:
#
# The Java-level namelookup cache policy for successful lookups:
#
# any negative value: caching forever
# any positive value: the number of seconds to cache an address for
# zero: do not cache
#
# default value is forever (FOREVER). For security reasons, this
# caching is made forever when a security manager is set. When a security
# manager is not set, the default behavior is to cache for 30 seconds.
#
# NOTE: setting this to anything other than the default value can have
# serious security implications. Do not set it unless
# you are sure you are not exposed to DNS spoofing attack.
#
#networkaddress.cache.ttl=-1
networkaddress.cache.negative.ttl (default: 10)
缓存失败结果,如果在缓存时效内再次lookup时直接返回错误(减轻DNS服务压力)。默认10秒。
缓存时间 设为0的话,表示不缓存,设置-1表示永久缓存,正数表示缓存时间(秒)。
该配置也能在 %JRE%libsecurityjava.security 这个文件中找到:
# The Java-level namelookup cache policy for failed lookups:
#
# any negative value: cache forever
# any positive value: the number of seconds to cache negative lookup results
# zero: do not cache
#
# In some Microsoft Windows networking environments that employ
# the WINS name service in addition to DNS, name service lookups
# that fail may take a noticeably long time to return (approx. 5 seconds).
# For this reason the default caching policy is to maintain these
# results for 10 seconds.
#
#
networkaddress.cache.negative.ttl=10
除了通过修改 java.security 配置。我们也可以通过在启动jvm时添加一行 -Dsun.NET.inetaddr.ttl=value 参数来设置ttl。
另外除了这些官方提供的扩展手段,你甚至可以hack掉InetAddress的cache机制,随心所欲的调整cache策略。