honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-06 04:58:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/docs/reference/setup/sysconfig/dns-cache.asciidoc
Jason Tedor 2afa7faefd
Override the JVM DNS cache policy (#36570) 
When a security manager is present, the JVM will cache positive hostname
lookups indefinitely. This can be problematic, especially in the modern
world with cloud services where DNS addresses can change, or
environments using Docker containers where IP addresses could be
considered ephemeral. This behavior impacts cluster discovery,
cross-cluster replication and cross-cluster search, reindex from remote,
snapshot repositories, webhooks in Watcher, external authentication
mechanisms, and the Elastic Stack Monitoring Service. The experience of
watching a DNS lookup change yet not be reflected within Elasticsearch
is a poor experience for users. The reason the JVM has this is guard
against DNS cache posioning attacks. Yet, there is already a defense in
the modern world against such attacks: TLS. With proper certificate
validation, even if a resolver falls prey to a DNS cache poisoning
attack, using TLS would neuter the attack. Therefore we have a policy
with dubious security value that significantly impacts usability. As
such we make the usability/security tradeoff towards usability, since
the security risks are very low. This commit introduces new system
properties that Elasticsearch observes to override the JVM DNS cache
policy.
2018-12-13 10:23:45 -05:00

20 lines
1.2 KiB
Plaintext
Raw Blame History

[[networkaddress-cache-ttl]]
=== DNS cache settings
Elasticsearch runs with a security manager in place. With a security manager in
place, the JVM defaults to caching positive hostname resolutions indefinitely
and defaults to caching negative hostname resolutions for ten
seconds. Elasticsearch overrides this behavior with default values to cache
positive lookups for sixty seconds, and to cache negative lookups for ten
seconds. These values should be suitable for most environments, including
environments where DNS resolutions vary with time. If not, you can edit the
values `es.networkaddress.cache.ttl` and `es.networkaddress.cache.negative.ttl`
in the <<jvm-options,JVM options>>. Note that the values
http://docs.oracle.com/javase/8/docs/technotes/guides/net/properties.html[`networkaddress.cache.ttl=<timeout>`]
and
http://docs.oracle.com/javase/8/docs/technotes/guides/net/properties.html[`networkaddress.cache.negative.ttl=<timeout>`]
in the
http://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html[Java
security policy] are ignored by Elasticsearch unless you remove the settings for
`es.networkaddress.cache.ttl` and `es.networkaddress.cache.negative.ttl`.
Reference in New Issue View Git Blame Copy Permalink