How to disable Java's SSL Reverse DNS Lookup

Question

I have a server in development and a few developers connecting to it. This server uses Java's TLS implementation with SSLEngine.

We saw that, at first, every new connection would have a long delay (30-40 seconds). We narrowed it down to reverse DNS lookups timing out. We solved that by putting all our IPs in the HOSTS file.

Now, the problem is that we are going to widen progressively our user base and I don't want to edit the HOSTS file, especially since we can't guarantee that they're going to have static IPs.

Is there any way to disable the reverse DNS lookup step in Java's SSL/TLS?

I'd like to have this as a configurable parameter, so that we can turn it off during development.

Answer 1

I faced this same problem today when I tried to create a SSL socket connection by IP address only. That resulted in reverse DNS lookup attempt, and therefore it was really slow...

To me the solution was simply to pass a dummy empty string as the host name, when creating the InetAddress for the SSL connection. That is, I changed

InetAddress.getByAddress(addrBytes)

to

InetAddress.getByAddress("", addrBytes)

and it no longer does the reverse DNS lookup.

Answer 2

This question came up in 2006 on the Sun JSSE forums. The bottom line is that it seems to occur only in the Windows java runtime. In this bug report, towards the bottom, is one proposed solution. And here is another proposed solution:

Basically, a reverse DNS lookup during the SSL handshake causes a long timeout.

To fix the problem, cache your server address as an InetAddress object and reuse it in the Socket constructor whenever you are making a new connection to your server.

Hopefully one of these will work for you.