如何禁用 Java 的 SSL 反向 DNS 查找 [英] How to disable Java's SSL Reverse DNS Lookup

问题描述

我有一个正在开发的服务器，有一些开发人员正在连接到它.此服务器使用带有 SSLEngine 的 Java TLS 实现.

I have a server in development and a few developers connecting to it. This server uses Java's TLS implementation with SSLEngine.

我们看到，起初，每个新连接都会有很长的延迟(30-40 秒).我们缩小范围以反向 DNS 查找超时.我们通过将所有 IP 放在 HOSTS 文件中解决了这个问题.

We saw that, at first, every new connection would have a long delay (30-40 seconds). We narrowed it down to reverse DNS lookups timing out. We solved that by putting all our IPs in the HOSTS file.

现在，问题是我们将逐步扩大我们的用户群，我不想编辑 HOSTS 文件，特别是因为我们不能保证他们会拥有静态 IP.

Now, the problem is that we are going to widen progressively our user base and I don't want to edit the HOSTS file, especially since we can't guarantee that they're going to have static IPs.

有什么办法可以禁用 Java 的 SSL/TLS 中的反向 DNS 查找步骤吗?

Is there any way to disable the reverse DNS lookup step in Java's SSL/TLS?

我希望将此作为可配置参数，以便我们可以在开发过程中将其关闭.

I'd like to have this as a configurable parameter, so that we can turn it off during development.

推荐答案

今天我在尝试仅通过 IP 地址创建 SSL 套接字连接时遇到了同样的问题.这导致了反向 DNS 查找尝试，因此它真的很慢......

I faced this same problem today when I tried to create a SSL socket connection by IP address only. That resulted in reverse DNS lookup attempt, and therefore it was really slow...

对我来说，解决方案只是在为 SSL 连接创建 InetAddress 时传递一个虚拟的空字符串作为主机名.也就是我改了

To me the solution was simply to pass a dummy empty string as the host name, when creating the InetAddress for the SSL connection. That is, I changed

InetAddress.getByAddress(addrBytes)

到

InetAddress.getByAddress("", addrBytes)

它不再进行反向 DNS 查找.

and it no longer does the reverse DNS lookup.

这篇关于如何禁用 Java 的 SSL 反向 DNS 查找的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！