Name: tb29552 Date: 07/16/97

Reported by:
company - Datametrics Systems Corp. , email - ###@###.###

InetAddress.getByName() has a severe BUG.

I have a friend whose IP address changes on a regular basis.
I have a JAVA program that looks him up by name and we establish
a connection. The problem is that once his IP address changes, I
can no longer connect to him!

Looking at the InetAddress source code the problem is obvious.
The code is maintaining a cache of name to address translations.
This seems very, very stupid considering that I am running a JAVA
application (not an applet), that should be trusted. How can this be fixed?

On a side note, there is a comment in this code that reads:
  * Do not purge cache of numerical IP addresses, since
  * duplicate dynamic DNS name lookups can leave the system
  * vulnerable to hostname spoofing attacks. Once a hostname
  * has been looked up in DNS and entered into the Java cache,
  * from then on, the hostname is translated to IP address only
  * via the cache.

While I do not know how spoofing works, if I take this comment at face value,
the cache does not work as advertised. The cache allows upper/ lower case
variations of the same name to be passed through. For example,
jerryj.datametrics.com has 1,048,576 names that the cache would
not filter out and pass through (for example, Jerryj.datametrics.com is one
of them and so is jerryj.datametRics.com). Doesn't this again open up spoofing?

Anyway, how is JAVA going to deal with dynamic IP addresses!

- Jerry
company - Datametrics Systems Corp. , email - ###@###.###
======================================================================


roger.lewis@Eng 1997-08-05

InetAddress holds its own cache for DNS names,
and will never resolve again a given name.
The rationale (comment in the 1.1.3 source) is
that its "to prevent hostname spoofing".

This however will break round-robin load-balancing
DNS systems.
It is also unacceptable for servers which
might live longer than a DNS name (that is,
it is quite possible a hostname will change
its name, and a server will need to access it
in its new address.
==========================================================================
InetAddress maintains an internal cache of hosts
which are unknown. This can cause problems if a
network connection is temporarily down when an
initial by-name host lookup
(InetAddress.getByName()) fails. If the network
connection comes back up, then subsequent by-name
lookups of that host will continue to fail even
though the remote host has become accessible.

Ideally, I'd like to have a public method on
InetAddress that allows me to remove a particular
host name from this cache. Failing that, a method
that allows me to turn caching off or to flush
the cache before I call InetAddress.getByName()
would solve the problem.
================================================================

Additional comment by
company - Cyclone Software Corporation , email - ###@###.###

I feel this is very wrong. In our application, our customers
will have the loopback IP address of 127.0.0.1 *before* they
dial in to their ISP and then to have a *new* (dynamically
assigned) IP address after they have dialed in. The way the
InetAddress code is currently written the IP address is always
returned as 127.0.0.1--even after they've dialed into the ISP
and are assigned a new IP address--there are no "funny games"
being played here as suggetsed by the code comments.

Please change getLocalHost () so that it always reflects the
most current IP address.

==============================================================

Another major licensee has complained about caching unknown
addresses just because they can't be resolved at the time.
They have an application where the remote client starts
at boot time, and runs in the background.
   They try to resolve the server name using getByName and if this
fails due to a name unrecognised by the DNS an 'unknown host
exception' is thrown. However, if they are not connected to the
network they get the same error! Since the app 'knows' the name is
a valid name they take this to mean the network is down and they
try again after an elapsed period of time. However an 'unknown
address' value has already been cached and is always returned from
that point on.
Mick
  
======================================================================