You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by rouble <r....@gmail.com> on 2013/06/03 23:20:50 UTC
Performance Degradation due to Reverse DNS Lookups
Camel Dudes,
We have detected a very strange issue in that our https routes degrade
in performance when an ip address is used (as opposed to a domain
name).
Turns out that the Java core libraries do reverse DNS lookup for ip
address when SSL connections are created. Read all about it here:
https://forums.oracle.com/forums/thread.jspa?threadID=1532033
http://stackoverflow.com/questions/3193936/how-to-disable-javas-ssl-reverse-dns-lookup
This becomes an issue when the IP address is not configured in the DNS
server and the reverse DNS fails. In this case each connection has to
wait for a timeout of the reverse DNS request before it can proceed.
This makes domain name connections faster than ip address connections
- which is backwards.
Is this a known issue? There are a few workarounds/hacks recommended
on the interwebs, I was wondering if it would be possible to introduce
them into camel
(http://www.velocityreviews.com/forums/showpost.php?p=2959030&postcount=8).
tia,
rouble
Re: Performance Degradation due to Reverse DNS Lookups
Posted by Claus Ibsen <cl...@gmail.com>.
Hi
I logged a ticket to not forget about this
https://issues.apache.org/jira/browse/CAMEL-6898
On Tue, Jun 25, 2013 at 11:19 AM, Claus Ibsen <cl...@gmail.com> wrote:
> On Tue, Jun 18, 2013 at 3:39 PM, rouble <r....@gmail.com> wrote:
>> We already do something similar:
>> <SNIP>
>> SSLContext ctx = SSLContext.getInstance("SSL");
>> ctx.init(null, new TrustManager[] { new
>> TrustAllTrustManager() }, null);
>> SSLSocketFactory ssf = new SSLSocketFactory(ctx,
>> SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
>> </SNIP>
>>
>> This issue does not have to do with the host name verifier or with
>> camel per se, but more to do with the fact that Java core
>> implementation will try to do a reverse dns lookup when creating a
>> secure connection to an ip address. There are workarounds, but those
>> would need to be implemented in camel.
>>
>> Cheers
>> rouble
>>
>
> Yeah would be nice if we have a simple way of turning this on. Fell
> free to log a JIRA ticket.
>
>
>>
>>
>> On Mon, Jun 3, 2013 at 10:47 PM, Willem jiang <wi...@gmail.com> wrote:
>>> Hi,
>>>
>>> I'm not sure if setting the dummy implementation of X509HostnameVerifier can resolve the issue.
>>> Can you try it to see if it work?
>>>
>>>
>>> --
>>> Willem Jiang
>>>
>>> Red Hat, Inc.
>>> FuseSource is now part of Red Hat
>>> Web: http://www.fusesource.com | http://www.redhat.com
>>> Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
>>> http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
>>> Twitter: willemjiang
>>> Weibo: 姜宁willem
>>>
>>>
>>>
>>>
>>>
>>> On Tuesday, June 4, 2013 at 10:23 AM, rouble wrote:
>>>
>>>> In my router configuration I am specifying "https4" - is that what you
>>>> wanted to know?
>>>>
>>>> cheers
>>>> rouble
>>>>
>>>> On Mon, Jun 3, 2013 at 9:59 PM, Willem jiang <willem.jiang@gmail.com (mailto:willem.jiang@gmail.com)> wrote:
>>>> > Hi,
>>>> >
>>>> > There are lots of http related components can provide the https connection, it could be helpful if you can tell us which http component you are using.
>>>> >
>>>> > --
>>>> > Willem Jiang
>>>> >
>>>> > Red Hat, Inc.
>>>> > FuseSource is now part of Red Hat
>>>> > Web: http://www.fusesource.com | http://www.redhat.com
>>>> > Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
>>>> > http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
>>>> > Twitter: willemjiang
>>>> > Weibo: 姜宁willem
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Tuesday, June 4, 2013 at 5:20 AM, rouble wrote:
>>>> >
>>>> > > Camel Dudes,
>>>> > >
>>>> > > We have detected a very strange issue in that our https routes degrade
>>>> > > in performance when an ip address is used (as opposed to a domain
>>>> > > name).
>>>> > >
>>>> > > Turns out that the Java core libraries do reverse DNS lookup for ip
>>>> > > address when SSL connections are created. Read all about it here:
>>>> > >
>>>> > > https://forums.oracle.com/forums/thread.jspa?threadID=1532033
>>>> > > http://stackoverflow.com/questions/3193936/how-to-disable-javas-ssl-reverse-dns-lookup
>>>> > >
>>>> > > This becomes an issue when the IP address is not configured in the DNS
>>>> > > server and the reverse DNS fails. In this case each connection has to
>>>> > > wait for a timeout of the reverse DNS request before it can proceed.
>>>> > > This makes domain name connections faster than ip address connections
>>>> > > - which is backwards.
>>>> > >
>>>> > > Is this a known issue? There are a few workarounds/hacks recommended
>>>> > > on the interwebs, I was wondering if it would be possible to introduce
>>>> > > them into camel
>>>> > > (http://www.velocityreviews.com/forums/showpost.php?p=2959030&postcount=8).
>>>> > >
>>>> > > tia,
>>>> > > rouble
>>>> >
>>>>
>>>
>>>
>>>
>
>
>
> --
> Claus Ibsen
> -----------------
> www.camelone.org: The open source integration conference.
>
> Red Hat, Inc.
> FuseSource is now part of Red Hat
> Email: cibsen@redhat.com
> Web: http://fusesource.com
> Twitter: davsclaus
> Blog: http://davsclaus.com
> Author of Camel in Action: http://www.manning.com/ibsen
--
Claus Ibsen
-----------------
Red Hat, Inc.
Email: cibsen@redhat.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen
Re: Performance Degradation due to Reverse DNS Lookups
Posted by Claus Ibsen <cl...@gmail.com>.
On Tue, Jun 18, 2013 at 3:39 PM, rouble <r....@gmail.com> wrote:
> We already do something similar:
> <SNIP>
> SSLContext ctx = SSLContext.getInstance("SSL");
> ctx.init(null, new TrustManager[] { new
> TrustAllTrustManager() }, null);
> SSLSocketFactory ssf = new SSLSocketFactory(ctx,
> SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
> </SNIP>
>
> This issue does not have to do with the host name verifier or with
> camel per se, but more to do with the fact that Java core
> implementation will try to do a reverse dns lookup when creating a
> secure connection to an ip address. There are workarounds, but those
> would need to be implemented in camel.
>
> Cheers
> rouble
>
Yeah would be nice if we have a simple way of turning this on. Fell
free to log a JIRA ticket.
>
>
> On Mon, Jun 3, 2013 at 10:47 PM, Willem jiang <wi...@gmail.com> wrote:
>> Hi,
>>
>> I'm not sure if setting the dummy implementation of X509HostnameVerifier can resolve the issue.
>> Can you try it to see if it work?
>>
>>
>> --
>> Willem Jiang
>>
>> Red Hat, Inc.
>> FuseSource is now part of Red Hat
>> Web: http://www.fusesource.com | http://www.redhat.com
>> Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
>> http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
>> Twitter: willemjiang
>> Weibo: 姜宁willem
>>
>>
>>
>>
>>
>> On Tuesday, June 4, 2013 at 10:23 AM, rouble wrote:
>>
>>> In my router configuration I am specifying "https4" - is that what you
>>> wanted to know?
>>>
>>> cheers
>>> rouble
>>>
>>> On Mon, Jun 3, 2013 at 9:59 PM, Willem jiang <willem.jiang@gmail.com (mailto:willem.jiang@gmail.com)> wrote:
>>> > Hi,
>>> >
>>> > There are lots of http related components can provide the https connection, it could be helpful if you can tell us which http component you are using.
>>> >
>>> > --
>>> > Willem Jiang
>>> >
>>> > Red Hat, Inc.
>>> > FuseSource is now part of Red Hat
>>> > Web: http://www.fusesource.com | http://www.redhat.com
>>> > Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
>>> > http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
>>> > Twitter: willemjiang
>>> > Weibo: 姜宁willem
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Tuesday, June 4, 2013 at 5:20 AM, rouble wrote:
>>> >
>>> > > Camel Dudes,
>>> > >
>>> > > We have detected a very strange issue in that our https routes degrade
>>> > > in performance when an ip address is used (as opposed to a domain
>>> > > name).
>>> > >
>>> > > Turns out that the Java core libraries do reverse DNS lookup for ip
>>> > > address when SSL connections are created. Read all about it here:
>>> > >
>>> > > https://forums.oracle.com/forums/thread.jspa?threadID=1532033
>>> > > http://stackoverflow.com/questions/3193936/how-to-disable-javas-ssl-reverse-dns-lookup
>>> > >
>>> > > This becomes an issue when the IP address is not configured in the DNS
>>> > > server and the reverse DNS fails. In this case each connection has to
>>> > > wait for a timeout of the reverse DNS request before it can proceed.
>>> > > This makes domain name connections faster than ip address connections
>>> > > - which is backwards.
>>> > >
>>> > > Is this a known issue? There are a few workarounds/hacks recommended
>>> > > on the interwebs, I was wondering if it would be possible to introduce
>>> > > them into camel
>>> > > (http://www.velocityreviews.com/forums/showpost.php?p=2959030&postcount=8).
>>> > >
>>> > > tia,
>>> > > rouble
>>> >
>>>
>>
>>
>>
--
Claus Ibsen
-----------------
www.camelone.org: The open source integration conference.
Red Hat, Inc.
FuseSource is now part of Red Hat
Email: cibsen@redhat.com
Web: http://fusesource.com
Twitter: davsclaus
Blog: http://davsclaus.com
Author of Camel in Action: http://www.manning.com/ibsen
Re: Performance Degradation due to Reverse DNS Lookups
Posted by rouble <r....@gmail.com>.
We already do something similar:
<SNIP>
SSLContext ctx = SSLContext.getInstance("SSL");
ctx.init(null, new TrustManager[] { new
TrustAllTrustManager() }, null);
SSLSocketFactory ssf = new SSLSocketFactory(ctx,
SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
</SNIP>
This issue does not have to do with the host name verifier or with
camel per se, but more to do with the fact that Java core
implementation will try to do a reverse dns lookup when creating a
secure connection to an ip address. There are workarounds, but those
would need to be implemented in camel.
Cheers
rouble
On Mon, Jun 3, 2013 at 10:47 PM, Willem jiang <wi...@gmail.com> wrote:
> Hi,
>
> I'm not sure if setting the dummy implementation of X509HostnameVerifier can resolve the issue.
> Can you try it to see if it work?
>
>
> --
> Willem Jiang
>
> Red Hat, Inc.
> FuseSource is now part of Red Hat
> Web: http://www.fusesource.com | http://www.redhat.com
> Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
> http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
> Twitter: willemjiang
> Weibo: 姜宁willem
>
>
>
>
>
> On Tuesday, June 4, 2013 at 10:23 AM, rouble wrote:
>
>> In my router configuration I am specifying "https4" - is that what you
>> wanted to know?
>>
>> cheers
>> rouble
>>
>> On Mon, Jun 3, 2013 at 9:59 PM, Willem jiang <willem.jiang@gmail.com (mailto:willem.jiang@gmail.com)> wrote:
>> > Hi,
>> >
>> > There are lots of http related components can provide the https connection, it could be helpful if you can tell us which http component you are using.
>> >
>> > --
>> > Willem Jiang
>> >
>> > Red Hat, Inc.
>> > FuseSource is now part of Red Hat
>> > Web: http://www.fusesource.com | http://www.redhat.com
>> > Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
>> > http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
>> > Twitter: willemjiang
>> > Weibo: 姜宁willem
>> >
>> >
>> >
>> >
>> >
>> > On Tuesday, June 4, 2013 at 5:20 AM, rouble wrote:
>> >
>> > > Camel Dudes,
>> > >
>> > > We have detected a very strange issue in that our https routes degrade
>> > > in performance when an ip address is used (as opposed to a domain
>> > > name).
>> > >
>> > > Turns out that the Java core libraries do reverse DNS lookup for ip
>> > > address when SSL connections are created. Read all about it here:
>> > >
>> > > https://forums.oracle.com/forums/thread.jspa?threadID=1532033
>> > > http://stackoverflow.com/questions/3193936/how-to-disable-javas-ssl-reverse-dns-lookup
>> > >
>> > > This becomes an issue when the IP address is not configured in the DNS
>> > > server and the reverse DNS fails. In this case each connection has to
>> > > wait for a timeout of the reverse DNS request before it can proceed.
>> > > This makes domain name connections faster than ip address connections
>> > > - which is backwards.
>> > >
>> > > Is this a known issue? There are a few workarounds/hacks recommended
>> > > on the interwebs, I was wondering if it would be possible to introduce
>> > > them into camel
>> > > (http://www.velocityreviews.com/forums/showpost.php?p=2959030&postcount=8).
>> > >
>> > > tia,
>> > > rouble
>> >
>>
>
>
>
Re: Performance Degradation due to Reverse DNS Lookups
Posted by Willem jiang <wi...@gmail.com>.
Hi,
I'm not sure if setting the dummy implementation of X509HostnameVerifier can resolve the issue.
Can you try it to see if it work?
--
Willem Jiang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://www.fusesource.com | http://www.redhat.com
Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
Twitter: willemjiang
Weibo: 姜宁willem
On Tuesday, June 4, 2013 at 10:23 AM, rouble wrote:
> In my router configuration I am specifying "https4" - is that what you
> wanted to know?
>
> cheers
> rouble
>
> On Mon, Jun 3, 2013 at 9:59 PM, Willem jiang <willem.jiang@gmail.com (mailto:willem.jiang@gmail.com)> wrote:
> > Hi,
> >
> > There are lots of http related components can provide the https connection, it could be helpful if you can tell us which http component you are using.
> >
> > --
> > Willem Jiang
> >
> > Red Hat, Inc.
> > FuseSource is now part of Red Hat
> > Web: http://www.fusesource.com | http://www.redhat.com
> > Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
> > http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
> > Twitter: willemjiang
> > Weibo: 姜宁willem
> >
> >
> >
> >
> >
> > On Tuesday, June 4, 2013 at 5:20 AM, rouble wrote:
> >
> > > Camel Dudes,
> > >
> > > We have detected a very strange issue in that our https routes degrade
> > > in performance when an ip address is used (as opposed to a domain
> > > name).
> > >
> > > Turns out that the Java core libraries do reverse DNS lookup for ip
> > > address when SSL connections are created. Read all about it here:
> > >
> > > https://forums.oracle.com/forums/thread.jspa?threadID=1532033
> > > http://stackoverflow.com/questions/3193936/how-to-disable-javas-ssl-reverse-dns-lookup
> > >
> > > This becomes an issue when the IP address is not configured in the DNS
> > > server and the reverse DNS fails. In this case each connection has to
> > > wait for a timeout of the reverse DNS request before it can proceed.
> > > This makes domain name connections faster than ip address connections
> > > - which is backwards.
> > >
> > > Is this a known issue? There are a few workarounds/hacks recommended
> > > on the interwebs, I was wondering if it would be possible to introduce
> > > them into camel
> > > (http://www.velocityreviews.com/forums/showpost.php?p=2959030&postcount=8).
> > >
> > > tia,
> > > rouble
> >
>
Re: Performance Degradation due to Reverse DNS Lookups
Posted by rouble <r....@gmail.com>.
In my router configuration I am specifying "https4" - is that what you
wanted to know?
cheers
rouble
On Mon, Jun 3, 2013 at 9:59 PM, Willem jiang <wi...@gmail.com> wrote:
> Hi,
>
> There are lots of http related components can provide the https connection, it could be helpful if you can tell us which http component you are using.
>
> --
> Willem Jiang
>
> Red Hat, Inc.
> FuseSource is now part of Red Hat
> Web: http://www.fusesource.com | http://www.redhat.com
> Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
> http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
> Twitter: willemjiang
> Weibo: 姜宁willem
>
>
>
>
>
> On Tuesday, June 4, 2013 at 5:20 AM, rouble wrote:
>
>> Camel Dudes,
>>
>> We have detected a very strange issue in that our https routes degrade
>> in performance when an ip address is used (as opposed to a domain
>> name).
>>
>> Turns out that the Java core libraries do reverse DNS lookup for ip
>> address when SSL connections are created. Read all about it here:
>>
>> https://forums.oracle.com/forums/thread.jspa?threadID=1532033
>> http://stackoverflow.com/questions/3193936/how-to-disable-javas-ssl-reverse-dns-lookup
>>
>> This becomes an issue when the IP address is not configured in the DNS
>> server and the reverse DNS fails. In this case each connection has to
>> wait for a timeout of the reverse DNS request before it can proceed.
>> This makes domain name connections faster than ip address connections
>> - which is backwards.
>>
>> Is this a known issue? There are a few workarounds/hacks recommended
>> on the interwebs, I was wondering if it would be possible to introduce
>> them into camel
>> (http://www.velocityreviews.com/forums/showpost.php?p=2959030&postcount=8).
>>
>> tia,
>> rouble
>>
>
>
>
Re: Performance Degradation due to Reverse DNS Lookups
Posted by Willem jiang <wi...@gmail.com>.
Hi,
There are lots of http related components can provide the https connection, it could be helpful if you can tell us which http component you are using.
--
Willem Jiang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://www.fusesource.com | http://www.redhat.com
Blog: http://willemjiang.blogspot.com (http://willemjiang.blogspot.com/) (English)
http://jnn.iteye.com (http://jnn.javaeye.com/) (Chinese)
Twitter: willemjiang
Weibo: 姜宁willem
On Tuesday, June 4, 2013 at 5:20 AM, rouble wrote:
> Camel Dudes,
>
> We have detected a very strange issue in that our https routes degrade
> in performance when an ip address is used (as opposed to a domain
> name).
>
> Turns out that the Java core libraries do reverse DNS lookup for ip
> address when SSL connections are created. Read all about it here:
>
> https://forums.oracle.com/forums/thread.jspa?threadID=1532033
> http://stackoverflow.com/questions/3193936/how-to-disable-javas-ssl-reverse-dns-lookup
>
> This becomes an issue when the IP address is not configured in the DNS
> server and the reverse DNS fails. In this case each connection has to
> wait for a timeout of the reverse DNS request before it can proceed.
> This makes domain name connections faster than ip address connections
> - which is backwards.
>
> Is this a known issue? There are a few workarounds/hacks recommended
> on the interwebs, I was wondering if it would be possible to introduce
> them into camel
> (http://www.velocityreviews.com/forums/showpost.php?p=2959030&postcount=8).
>
> tia,
> rouble
>