; Zone file for company.com
$TTL 86400
@ IN SOA ns1.company.com. root.company.com (
200605230001 ; serial number
3H ; refresh
1M ; retry
2W ; expiration
1D ; minimum ttl
)
@ IN NS ns1.company.com.
company.com. IN NS ns2.company.com.
ns1.company.com. IN A 172.24.254.1
ns2 IN A 172.24.254.2
corp1 IN A 172.24.1.1
danger1 IN A 172.24.0.1
...
Until the ColdFusion server is restarted, the JVM will continue to use the old IP address instead of the updated one, and remote network access will either fail as unreachable, or worse, it will be accessing a different machine that was assigned the old IP of 172.24.0.1.
This behavior is by design according the the documentation for java.net.InetAddress:
InetAddress Caching
The InetAddress class has a cache to store successful as well as unsuccessful host name resolutions. The positive caching is there to guard against DNS spoofing attacks; while the negative caching is used to improve performance.
By default, the result of positive host name resolutions are cached forever, because there is no general rule to decide when it is safe to remove cache entries. The result of unsuccessful host name resolution is cached for a very short period of time (10 seconds) to improve performance.
Under certain circumstances where it can be determined that DNS spoofing attacks are not possible, a Java security property can be set to a different Time-to-live (TTL) value for positive caching. Likewise, a system admin can configure a different negative caching TTL value when needed.
Two Java security properties control the TTL values used for positive and negative host name resolution caching:
networkaddress.cache.ttl (default: -1) Indicates the caching policy for successful name lookups from the name service. The value is specified as as integer to indicate the number of seconds to cache the successful lookup.
A value of -1 indicates "cache forever".
networkaddress.cache.negative.ttl (default: 10) Indicates the caching policy for un-successful name lookups from the name service. The value is specified as as integer to indicate the number of seconds to cache the failure for un-successful lookups.
A value of 0 indicates "never cache". A value of -1 indicates "cache forever".
If you prefer to disable or reduce the TTL of the IP address caching and incur a small performance penalty for repeated hostname resolutions, then you can configure networkaddress.cache.ttl in the config file cf_root\runtime\jre\lib\security\java.security, or the equivalent if using another JVM. This property already exists in the file towards the bottom, although the default value is shown and is commented out. You can copy the line and paste the uncommented property below it with a custom value, then restart ColdFusion to make it take effect.
# The Java-level namelookup cache policy for successful lookups:
#
# any negative value: caching forever
# any positive value: the number of seconds to cache an address for
# zero: do not cache
#
# default value is forever (FOREVER). For security reasons, this
# caching is made forever when a security manager is set.
#
# NOTE: setting this to anything other than the default value can have
# serious security implications. Do not set it unless
# you are sure you are not exposed to DNS spoofing attack.
#
#networkaddress.cache.ttl=-1
#
# *** disable caching by setting this value to 0 ***
networkaddress.cache.ttl=0
#
