ColdFusion network protocol tags such as CFHTTP, CFFTP, or CFLDAP will cache hostname-to-IP address resolution because this behavior is built into the default security properties of the JVM.

For example, if your local intranet DNS server or hosts file returns the IP 172.24.0.1 for a lookup of hostname corp1.company.com, and a CFHTTP call was made for the page http://corp1.company.com/data.csv, then for every subsequent CFML network protocol tag that attempts to access corp1.company.com the IP 172.24.0.1 will be used, until ColdFusion is restarted.

But what happens when one of the Network SysAdmins changes the DNS A record so that corp1.company.com now points to a slightly different IP address of 172.24.1.1 ?

view plain print about
1; Zone file for company.com
2$TTL 86400
3@ IN SOA ns1.company.com. root.company.com (
4 200605230001 ; serial number
5 3H ; refresh
6 1M ; retry
7 2W ; expiration
8 1D ; minimum ttl
9 )
10@ IN NS ns1.company.com.
11company.com. IN NS ns2.company.com.
12ns1.company.com. IN A 172.24.254.1
13ns2 IN A 172.24.254.2
14corp1 IN A 172.24.1.1
15danger1 IN A 172.24.0.1
16...


Until the ColdFusion server is restarted, the JVM will continue to use the old IP address instead of the updated one, and remote network access will either fail as unreachable, or worse, it will be accessing a different machine that was assigned the old IP of 172.24.0.1.

This behavior is by design according the the documentation for java.net.InetAddress:

InetAddress Caching
The InetAddress class has a cache to store successful as well as unsuccessful host name resolutions. The positive caching is there to guard against DNS spoofing attacks; while the negative caching is used to improve performance.

By default, the result of positive host name resolutions are cached forever, because there is no general rule to decide when it is safe to remove cache entries. The result of unsuccessful host name resolution is cached for a very short period of time (10 seconds) to improve performance.

Under certain circumstances where it can be determined that DNS spoofing attacks are not possible, a Java security property can be set to a different Time-to-live (TTL) value for positive caching. Likewise, a system admin can configure a different negative caching TTL value when needed.

Two Java security properties control the TTL values used for positive and negative host name resolution caching:

networkaddress.cache.ttl (default: -1) Indicates the caching policy for successful name lookups from the name service. The value is specified as as integer to indicate the number of seconds to cache the successful lookup.

A value of -1 indicates "cache forever".

networkaddress.cache.negative.ttl (default: 10) Indicates the caching policy for un-successful name lookups from the name service. The value is specified as as integer to indicate the number of seconds to cache the failure for un-successful lookups.

A value of 0 indicates "never cache". A value of -1 indicates "cache forever".


If you prefer to disable or reduce the TTL of the IP address caching and incur a small performance penalty for repeated hostname resolutions, then you can configure networkaddress.cache.ttl in the config file cf_root untimejrelibsecurityjava.security, or the equivalent if using another JVM. This property already exists in the file towards the bottom, although the default value is shown and is commented out. You can copy the line and paste the uncommented property below it with a custom value, then restart ColdFusion to make it take effect.

view plain print about
1# The Java-level namelookup cache policy for successful lookups:
2#
3# any negative value: caching forever
4# any positive value: the number of seconds to cache an address for
5# zero: do not cache
6#
7# default value is forever (FOREVER). For security reasons, this
8# caching is made forever when a security manager is set.
9#
10# NOTE: setting this to anything other than the default value can have
11# serious security implications. Do not set it unless
12# you are sure you are not exposed to DNS spoofing attack.
13#
14#networkaddress.cache.ttl=-1
15#
16# *** disable caching by setting this value to 0 ***
17networkaddress.cache.ttl=0
18#