JDK-4084543 : DNS lookup attempted even when proxy is being used behind firewall
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 1.1,1.1.7,1.2.2
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic,solaris_2.5.1,windows_nt
  • CPU: generic,x86,sparc
  • Submitted: 1997-10-07
  • Updated: 2004-01-22
  • Resolved: 2004-01-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
5.0 b36Fixed
Related Reports
Duplicate :  
JDK-4219641 - Unavailable DNS servers causes proxy to wait for > 100 seconds
Relates :  
JDK-4975882 - Reverse DNS calls in SocketPermission undesirable
Description
======================================================================

Name: sg39081			Date: 10/07/97


This is a refinement of a prior bug I filed on
hotjava.

Previously, I claimed that if you are
behind a proxy firewall, and type
"www.sun.com", it won't work. but if you type
http:// in front of it, it will.

This was an incorrect report of the actual bug.
The actual bug seems to be:
it will only connect to a site on the SECOND try,
since it was started.

You guys must be doing some bizzare unneccessary
DNS checks the first time a site is contacted.
In proxy mode, you should not be doing ANY DNS 
calls, other than to find the initial 
IP address of the HTTP proxy server.
But I just verified that you are in fact
incorrectly trying to use DNS the first time.

This is a long-standing bug in hotjava, all the
way from 1.0, through to 1.1beta2.
Please fix it ASAP.
======================================================================
Additional information from user:

If you want to REALLY reproduce the problem, it will take some effort, but
you could do the following:

1. install basically ANY proxy http server ("squid", cern httpd..)
   on a machine that has direct access to the internet.

2. take another machine, and
    -) disable DNS
    -) put an entry only for the proxy machine, in /etc/hosts
    -) config hotjava to use that proxy machine.

You then should see the behaviour I described, although I have not checked
specifically through those proxy servers.

To be specific, we are behind a machine running the "TIS firewall toolkit",
which is your basic http proxy software. The firewall is connected
to the internet via a dedicated T1.
But it is a TRUE firewall, in that it does NOT allow internex DNS resolution
from behind the firewall.
If you want outside access, you have to give the address to the http
server, and let the firewall do it.

Which is the problem, cause I think hotjava is doing DNS requests.
naughty, naughty.
ALL OTHER BROWSERS work fine through the firewall.

I think you'd save some time by just having the appropriate engineer look
at the code after seeing my coments.

Your other option would be to give me the hotjava source code, and just
let me fix it :-

======================================================================

###@###.### 1997-11-15 :

On November 7, 1997, the originator of the above bug report (Phil) submitted
a new report (incident 19877) to the same effect, but NOW for HotJava 1.1fcs
(so, hopefully it will be looked at a.s.a.p.):

I am much disappointed that you have STILL not fixed the long-standing
proxy bug, in hotjava FCS 1.1

Here it is AGAIN:
Behind a true proxy firewall (one that does not pass DNS info),
hotjava does not load a new site right away. Only after
pressing the reload button does it load the page. From then on,
it loads other pages from that site okay.

EVERY OTHER BROWSER IN EXISTANCE (that supports proxies) works
FINE behind our firewall, first time:

	Mosaic
	Netscape (2.0, 3.0, 4.0)
	Internet Explorer
	Lynx
	Chimera

But NOT HOTJAVA!

This bug has to be trivial to fix. I re-iterate my offer to fix it, if you
give me source access.

===========================================================================

mircea.oancea@canada 1998-04-09

company - Toshiba  , email - ###@###.###

On JavaOS. Category: hotjava_views & hotjava_browser
We set up proxy servers at these preferences page.
(doc:/lib/ja/hotjava/preferences-proxies.html)
We inputted URL and push RETURN key.
However, browser(WebView) did not access proxy
server directly. The browser access to 
NIS server and DNS server before access PROXY
server.
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: generic tiger-beta2 FIXED IN: tiger-beta2 INTEGRATED IN: tiger-b36 tiger-beta2
14-06-2004
EVALUATION (Pawel Veselov, St.Petersburg HotJava team, email: ###@###.###) This is a bug in sun.net.www.protocol.http.HttpURLConnection class. The domain query source is there: HttpURLConnectionCookie.getInputStream() : InputStream is = null; try { Thread.sleep(10000); System.out.println("super.getInputStream() : "+((new Date()))); is = super.getInputStream(); Thread.sleep(10000); } catch (InterruptedException e) { } >HotJava console: super.getInputStream() : Tue Jan 19 14:25:12 GMT 1999 >tcpdump results: 17:25:12.433636 druid.53008 > warrior.domain: 28298+ (40) (DF) 17:25:12.541710 druid.53010 > warrior.domain: 18435+ (40) (DF) 17:25:17.456030 druid.53011 > warrior.domain: 28298+ (40) (DF) The code in jdk reads ( HttpURLConnection.connect() method ) if ("http".equals(url.getProtocol()) && !failedOnce) { http = HttpClient.New(url); } else { // make sure to construct new connection if first attempt failed http = new HttpClient(url, handler.proxy, handler.proxyPort); } This !failedOnce seems to explain why we can connect only from the second try. So, I believe, this bug should be transferred to java.net cathegory. ====================================================================== I don't really understand the above evaluation. jeff.nisewanger@Eng 1999-03-09 Name: pvC76716 Date: 03/10/99 Okay, here is a testcase: ---- cut ---- import java.net.*; import java.io.*; import java.util.Properties; public class GetHttp { GetHttp(String urlString) { URL url=null; InputStream io; try { URL.setURLStreamHandlerFactory(new MyFactory()); } catch (Exception e) { System.err.println("Factory is already installed!"); System.exit(0); } Properties props = System.getProperties(); props.put("http.proxyHost","guard"); props.put("http.proxyPort","3128"); props.put("trustProxy", "true"); for (int i=0; i<2; i++) { System.out.println(" ======== TRY NO. "+(i+1)); try { url = new URL(urlString); } catch (MalformedURLException e) { System.err.println("Malformed URL"); continue; } try { URLConnection conn = url.openConnection(); conn.connect(); io = conn.getInputStream(); } catch (Exception e) { e.printStackTrace(); continue; } System.out.println("Everything is OK!"); int b; do { try { b = io.read(); } catch (Exception e) { e.printStackTrace(); break; } if (b>=0) { System.out.print((char)b); } } while (b >= 0); } } public static void main(String arg[]) { if (arg.length < 1) { System.err.println("Usage : java GetHttp <url>"); System.exit(0); } new GetHttp(arg[0]); } class MyFactory implements URLStreamHandlerFactory { public URLStreamHandler createURLStreamHandler(String protocol) { System.out.println("Asked for Handler for proto "+protocol); if (protocol.equalsIgnoreCase("http")) { return new MyHandler(); } else { return null; } } } class MyHandler extends sun.net.www.protocol.http.Handler { public MyHandler() { super(); } public MyHandler(String proxy, int proxyPort) { super(proxy, proxyPort); } protected URLConnection openConnection(URL url) throws IOException { // return (URLConnection) new // sun.net.www.protocol.http.HttpURLConnection(url, // (sun.net.www.protocol.http.Handler)this); System.out.println("Asked for connection for url "+url); return (URLConnection) new MyConnection(url,this); } } class MyConnection extends sun.net.www.protocol.http.HttpURLConnection { protected MyConnection(URL url, MyHandler hdl) throws IOException { super(url,hdl); } public MyConnection(URL url,String proxy,int proxyPort) throws IOException { super(url, proxy, proxyPort); } } } ---- cut ---- When this application run, there is one DNS request for the host: [vps@druid]~/jprogs$ java GetHttp http://aaa ======== TRY NO. 1 Asked for Handler for proto http Asked for connection for url http://aaa/ Everything is OK! ======== TRY NO. 2 Asked for connection for url http://aaa/ Everything is OK! TCPDUMP: [root@druid]~# tcpdump host warrior tcpdump: listening on hme0 19:22:54.384804 druid.sparc.spb.su.40026 > warrior.sparc.spb.su.domain: 61525+ (34) (DF) 19:22:54.385737 warrior.sparc.spb.su.domain > druid.sparc.spb.su.40026: 61525 NXDomain* 0/1/0 (94) (DF) 19:22:54.386456 druid.sparc.spb.su.40027 > warrior.sparc.spb.su.domain: 61526+ (28) (DF) 19:22:54.388655 warrior.sparc.spb.su.domain > druid.sparc.spb.su.40027: 61526 0/0/0 (28) (DF) 19:22:54.389239 druid.sparc.spb.su.40028 > warrior.sparc.spb.su.domain: 61527+ A? aaa. (21) (DF) 19:22:54.390082 warrior.sparc.spb.su.domain > druid.sparc.spb.su.40028: 61527 NXDomain* 0/1/0 (81) (DF) druid is my box and warrior is a DNS server. This DNS request can produce very long delay, if DNS is disable inside firewall. You can see : even if proxy is set and we are trying to get the URL via proxy, JDK tries to find out is URL hostname valid or not. I hope I am doing this the same way HotJava does. ====================================================================== [mayank.upadhyay@eng 1999-09-15] As of JDK1.2 the problem of not connecting on the first attempt is fixed. You can connect to the host outside the firewall on the first attempt. But you have to be sure to set the trustProxy property to true. sun.net.www.http.HttpClient calls InetAddress.getByName() at the start of its constructor which will result in a DNS lookup the first time. When using the security manager the SocketPermission class also does name to address translations which return the cached value from the first lookup. The first DNS lookup is done to prevent various DNS spoofing attacks and will be left in for now. mayank.upadhyay@eng 2000-02-14 Retaining this bug as a placeholder to possibly do some cleanup in the area of trustproxy and maybe also avoid doing the DNS lookup. bradford.wetmore@eng 2000-02-16 This "feature" is definately generating customer calls. I'm rethinking that we may want to expose trustProxy more than in the past. Anyway, it appears as though we have another problem. http://java.sun.com/security/signExample12/signedPluginEx.html If I am behind the firewall, trustProxy is not true, and I have the following grant statement: grant { java.security.AllPermission; }; Everything works as expected. However, if you change the line to: grant signedBy "Duke" { permission java.security.AllPermission; }; I get an unexpected access control permission denied. I'm not doing any codebase stuff, just a signedBy.... java.security.AccessControlException: access denied (java.net.SocketPermission java.sun.com connect,accept,resolve) at java.security.AccessControlContext.checkPermission(AccessControlContext.java, Compiled Code) at java.security.AccessController.checkPermission(AccessController.java, Compiled Code) at java.lang.SecurityManager.checkPermission(SecurityManager.java, Compiled Code) at java.net.URLClassLoader$3.run(URLClassLoader.java, Compiled Code) at java.security.AccessController.doPrivileged(Native Method) ....rest deleted.... This code is definately signed by Duke... Name: pvC76716 Date: 02/17/2000 It would also nice if this bug can be fixed in 1.1.next, since HotJava works with JDK 1.1.x only for now... ====================================================================== bradford.wetmore@eng 2000-03-07 The RM for this bug does not expect a JDK 1.1.next. From: merlund Tue, 7 Mar 2000 The last I heard, there's not going to be a 1.1.9. The customer will need to escalate to get a fix on 1.1.x. ###@###.### 2004-01-16 Filed another bug 4975882 to track the issues related to SocketPermission class. This bug will now only refers to the original issues about DNS lookup attempted when proxy is present even without a security manager presence, i.e. related to the "sprint bug" fix.
11-06-2004
WORK AROUND Name: sg39081 Date: 10/07/97 every time hotjava incorrectly claims it cannot connect to a site, press reload. ======================================================================
11-06-2004