Socket problem -- response slow for host with domain (on SunOS 5.8)

N

Nishi Bhonsle

Hi:

I have a servlet application deployed in OC4J. One of the page of the application takes the value for a smtpServer entered by the user from the client(value is a string), checks whether the value is valid in the following backend code --

try
{
//if you can open a socket on the smtp host at port 25, then it is a valid smtp host
Socket smtpSocket = new smtpSocket("smtpServerVal", 25);
....
....
}
catch(UnknownHostException uhe)
{
...
.....
}
catch(IOException ioe)
{
....
....
}
where smtpServerVal is the value entered through the client UI(browser).

I noticed that when I pass
Socket smtpSocket = new smtpSocket("yahoo", 25);
I get the UnknownHostException immediately(response is quick) and the page returns.

But when I pass
Socket smtpSocket = new smtpSocket("yahoo.com", 25);
The response of IOException takes a rather long time.. i.e. the page takes almost after 30 secs or more to return.

I observe this slower response only when the backend code is run on a solaris 8 machine, not on windows XP or 2000.
Is this a known issue? How can I resolve this if any?

Thanks, Nishi.
 
N

Nigel Wade

Nishi said:
Hi:

I have a servlet application deployed in OC4J. One of the page of the
application takes the value for a smtpServer entered by the user from the
client(value is a string), checks whether the value is valid in the
following backend code --
try
{
//if you can open a socket on the smtp host at port 25, then it is a valid smtp host
Socket smtpSocket = new smtpSocket("smtpServerVal", 25);
...
...
}
catch(UnknownHostException uhe)
{
..
....
}
catch(IOException ioe)
{
...
...
}
where smtpServerVal is the value entered through the client UI(browser).

I noticed that when I pass
Socket smtpSocket = new smtpSocket("yahoo", 25);
I get the UnknownHostException immediately(response is quick) and the page returns.

But when I pass
Socket smtpSocket = new smtpSocket("yahoo.com", 25);
The response of IOException takes a rather long time.. i.e. the page takes
almost after 30 secs or more to return.
I observe this slower response only when the backend code is run on a
solaris 8 machine, not on windows XP or 2000.
Is this a known issue? How can I resolve this if any?

Thanks, Nishi.

Most likely one of two issues is involved here.

The first is DNS. Any time a failure takes "around 30s" I think DNS. This is
the usual timeout for the resolver libraries if they get no response from a
DNS server. Check whether DNS is working correctly on the Solaris machine.

The second issue is firewalls. If there's a firewall in the way which drops
rather than rejects packets destined for port 25 then you'll get a timeout
delay. But I'd expect that to be considerably longer than 30s.

Of course it could be a combination of the two, a firewall which is
dropping/rejecting the DNS responses from the DNS server...

Without knowing what the constructor for smtpServer(String,int) does I can't
say more.
 
N

Nishi Bhonsle

Nigel said:
application takes the value for a smtpServer entered by the user from the
client(value is a string), checks whether the value is valid in the
following backend code --
almost after 30 secs or more to return.
solaris 8 machine, not on windows XP or 2000.

Most likely one of two issues is involved here.

The first is DNS. Any time a failure takes "around 30s" I think DNS. This is
the usual timeout for the resolver libraries if they get no response from a
DNS server. Check whether DNS is working correctly on the Solaris machine.

The second issue is firewalls. If there's a firewall in the way which drops
rather than rejects packets destined for port 25 then you'll get a timeout
delay. But I'd expect that to be considerably longer than 30s.

Of course it could be a combination of the two, a firewall which is
dropping/rejecting the DNS responses from the DNS server...

Without knowing what the constructor for smtpServer(String,int) does I can't
say more.

The constructor Socket smtpSocket = new smtpSocket("smtpServerVal", 25);
creates a stream socket ad connects it to the specified port number on the named host
here host = smtpServerVal (This is the Outgoing Mail Server hostname)
port=25.
(Got this information from java.net.Socket)

There is a firewall, but its the same for the windows machine too, so why would the firewall on the solaris box cause such a big delay?
How can I check whether the DNS is working correctly on the machine?

Is there a resolution?
Thanks, Nishi.
 
B

Babu Kalakrishnan

Nishi said:
The constructor Socket smtpSocket = new smtpSocket("smtpServerVal", 25);
creates a stream socket ad connects it to the specified port number on the named host
here host = smtpServerVal (This is the Outgoing Mail Server hostname)
port=25.
(Got this information from java.net.Socket)

"smtpSocket" certainly not one of the java.net standard classes (And all
Sun classes have names starting with a Capital letter). Nigel was
assuming that it is a custom class that you wrote. Since you mention the
java.net.Socket class, does your code by any chance read :

Socket smtpSocket = new Socket(smtpServerVal, 25);
^^^^^^
instead ? (where smtpServerVal is the variable that holds the name)

There is a firewall, but its the same for the windows machine too, so why would the firewall on the solaris box cause such a big delay?
How can I check whether the DNS is working correctly on the machine?

Is there a resolution?

Since you say this happens only when you type names instead of an IP
address, first thing one would suspect is a DNS resolution delay (though
I can't really understand why it would fail "yahoo" quickly and
"yahoo.com" after a delay - a smart resolver that understands invalid
TLDs ???). It is possible that DNS is not setup properly on the Solaris
machine ? Try running nslookup (or dig) from the commandline on the
machine and see if similar delays occur. And if the name resolution
fails on even well known domain names (like say yahoo.com) ask your
system administrator to set the DNS right. (And if *you* have it to do
it yourselves, make sure there is a "dns" entry in /etc/nssswitch.conf
and that "nameserver" entries in the /etc/resolv.conf point to working
DNS servers)

BK
 
N

Nigel Wade

Nishi said:
The constructor Socket smtpSocket = new smtpSocket("smtpServerVal", 25);
creates a stream socket ad connects it to the specified port number on the named host
here host = smtpServerVal (This is the Outgoing Mail Server hostname)
port=25.
(Got this information from java.net.Socket)

There is a firewall, but its the same for the windows machine too, so why
would the firewall on the solaris box cause such a big delay?

How many firewalls, if it's the same as for Windows as it is for Solaris,
what is "the firewall on the solaris box"? External firewalls can have
specific rules for each host, so could be setup correctly for the Windows
box and incorrectly for the Solaris box.
How can I check whether the DNS is working correctly on the machine?

Use nslookup to get the DNS entry for a hostname directly from your DNS
servers. If you get a proper response DNS is ok, and something else is
wrong. If you don't get a proper response use snoop (as root) to listen to
the network and detect packets going to and from the DNS server (use the
command 'snoop port 53') which should show you where the request is being
sent to, and whether any sort of response is coming back.
 
N

Nishi Bhonsle

Babu said:
"smtpSocket" certainly not one of the java.net standard classes (And all
Sun classes have names starting with a Capital letter). Nigel was
assuming that it is a custom class that you wrote. Since you mention the
java.net.Socket class, does your code by any chance read :

Socket smtpSocket = new Socket(smtpServerVal, 25);
^^^^^^
instead ? (where smtpServerVal is the variable that holds the name)

Yes. Sorry, my mistake.
I meant
Socket smtpSocket = new Socket(smtpServerVal, 25);
Since you say this happens only when you type names instead of an IP
address, first thing one would suspect is a DNS resolution delay (though
I can't really understand why it would fail "yahoo" quickly and
"yahoo.com" after a delay - a smart resolver that understands invalid
TLDs ???). It is possible that DNS is not setup properly on the Solaris
machine ? Try running nslookup (or dig) from the commandline on the
machine and see if similar delays occur. And if the name resolution
fails on even well known domain names (like say yahoo.com) ask your
system administrator to set the DNS right. (And if *you* have it to do
it yourselves, make sure there is a "dns" entry in /etc/nssswitch.conf
and that "nameserver" entries in the /etc/resolv.conf point to working
DNS servers)

I checked the /etc/nsswitch.conf and found the following --
hosts: files nis dns

I checked the /etc/resolv.conf and found that there are nameserver entries for my domain and 3 servers . One of the server entries (the last one) is not returning a successful ping.
Could that be any problem?
 
N

Nishi Bhonsle

Nigel said:
would the firewall on the solaris box cause such a big delay?

How many firewalls, if it's the same as for Windows as it is for Solaris,
what is "the firewall on the solaris box"? External firewalls can have
specific rules for each host, so could be setup correctly for the Windows
box and incorrectly for the Solaris box.

I do not have much information on the setup rules of the firewall on my solaris box. Is there a way I can find out?
I know that the oracle intranet is within a firewall.
Use nslookup to get the DNS entry for a hostname directly from your DNS
servers. If you get a proper response DNS is ok, and something else is
wrong. If you don't get a proper response use snoop (as root) to listen to
the network and detect packets going to and from the DNS server (use the
command 'snoop port 53') which should show you where the request is being
sent to, and whether any sort of response is coming back.

I got a proper response after running nslookup.
I also ran
# snoop port 53
Using device /dev/hme (promiscuous mode)

But I did not get any other information besides the above line when I ran the application
 
B

Babu Kalakrishnan

Nishi said:
Babu Kalakrishnan wrote:


I checked the /etc/nsswitch.conf and found the following --
hosts: files nis dns

I checked the /etc/resolv.conf and found that there are nameserver entries for my domain and 3 servers . One of the server entries (the last one) is not returning a successful ping.
Could that be any problem?

Depends on the strategy adopted by your resolver. If it tries to rotate
the queries between nameservers, it is possible that you might get
delays each time it tries to connect to the dead nameserver.

Better to experiment and find out. Try running nslookup on different
hostnames a few number of times. If some of the queries are taking a
long time to complete, then it is likely to be a DNS issue, and removing
that entry from the resolv.conf file should help.

On the other hand if your nslookup queries are returning fast with a
success or failure as the result (you didn't mention that aspect - i.e.
the time taken for the query - in your other post where said nslookup
seemed to be working ok), then you can eliminate DNS as the probable
reason. The next thing to try to connect to port 25 of a server that
gave you delays while testing using telnet. ("telnet yahoo.com 25" for
instance) Normally it should instantly say "connection refused" if the
port is not open. If you find a long delay, then it is probably your
firewall setup which is to blame. (It might be quietly dropping packets
instead of rejecting them - or might be blocking ICMP packets)

BK
 
N

Nigel Wade

Nishi Bhonsle wrote:

I do not have much information on the setup rules of the firewall on my
solaris box. Is there a way I can find out?

Ask the admin? AFAIK Solaris doesn't have any default firewall.

I know that the oracle intranet is within a firewall.


I got a proper response after running nslookup.
I also ran
# snoop port 53
Using device /dev/hme (promiscuous mode)

But I did not get any other information besides the above line when I ran
the application

You won't unless you make a DNS request. Port 53 is used for DNS, it will
show the DNS request going out and the response (if any) coming back.
 
N

Nishi Bhonsle

Babu said:
Depends on the strategy adopted by your resolver. If it tries to rotate
the queries between nameservers, it is possible that you might get
delays each time it tries to connect to the dead nameserver.

Better to experiment and find out. Try running nslookup on different
hostnames a few number of times. If some of the queries are taking a
long time to complete, then it is likely to be a DNS issue, and removing
that entry from the resolv.conf file should help.

On the other hand if your nslookup queries are returning fast with a
success or failure as the result (you didn't mention that aspect - i.e.
the time taken for the query - in your other post where said nslookup
seemed to be working ok), then you can eliminate DNS as the probable
reason.

The nslookup queries did return pretty quickly, whether it was success or failure.
The next thing to try to connect to port 25 of a server that
gave you delays while testing using telnet. ("telnet yahoo.com 25" for
instance) Normally it should instantly say "connection refused" if the
port is not open. If you find a long delay, then it is probably your
firewall setup which is to blame. (It might be quietly dropping packets
instead of rejecting them - or might be blocking ICMP packets)

I ran the following command on the host on which i am seeing the delay.
telnet yahoo.com 25
Trying 216.109.112.135...
<The Trying state hung for a long time before returning the below line> -- my comments

telnet: connect to address 216.109.112.135: No route to host
Trying 66.94.234.13...
<The Trying state hung for a long time before returning the below line> -- my comments

telnet: Unable to connect to remote host: No route to host
 
B

Babu Kalakrishnan

Nishi said:
Trying 216.109.112.135...
<The Trying state hung for a long time before returning the below line> -- my comments

telnet: connect to address 216.109.112.135: No route to host
Trying 66.94.234.13...
<The Trying state hung for a long time before returning the below line> -- my comments

telnet: Unable to connect to remote host: No route to host

So this is exactly what's causing the delay in your application as well.
Looks like your firewall is blocking outward traffic to port 25 and
dropping those packets. Time to query your sysadmin as to what is
happening.. They need to open up connections to port 25 for your
application to work.

By the way, if I try the same on my machine, it comes up with :

[kala@ganga]$ telnet yahoo.com 25
Trying 216.109.112.135...
Connected to yahoo.com.
Escape character is '^]'.


BK
 
N

Nishi Bhonsle

Babu said:
Nishi said:
Trying 216.109.112.135...
<The Trying state hung for a long time before returning the below line> -- my comments

telnet: connect to address 216.109.112.135: No route to host
Trying 66.94.234.13...
<The Trying state hung for a long time before returning the below line> -- my comments

telnet: Unable to connect to remote host: No route to host

So this is exactly what's causing the delay in your application as well.
Looks like your firewall is blocking outward traffic to port 25 and
dropping those packets. Time to query your sysadmin as to what is
happening.. They need to open up connections to port 25 for your
application to work.

By the way, if I try the same on my machine, it comes up with :

[kala@ganga]$ telnet yahoo.com 25
Trying 216.109.112.135...
Connected to yahoo.com.
Escape character is '^]'.

Port 25 is a default port value both for the SMTP mail server and the e-mail client and hence my application is trying to open a connection of the host(supplied through the application) on port 25. ie if there is no SMTP server with the name yahoo.com configured on port 25 then i should get an error.

I think, even though the sysadmin does not open the connections to port 25, they should be dropping packets instead of rejecting them .ie. If I run the same telnet command on my windows box, I get the following returned pretty quickly
C:\>telnet yahoo.com 25
Connecting To yahoo.com...Could not open a connection to host on port 25 : Connect failed

If I get such a response from the solaris box, that would help too.

What do you think?
 
S

Sudsy

Nishi Bhonsle wrote:
I think, even though the sysadmin does not open the connections to port 25, they should
be dropping packets instead of rejecting them .ie. If I run the same telnet command on
my windows box, I get the following returned pretty quickly
C:\>telnet yahoo.com 25
Connecting To yahoo.com...Could not open a connection to host on port 25 : Connect failed

If I get such a response from the solaris box, that would help too.

What do you think?

I think you haven't been around long enough! The port is operating in
"stealth" mode. Incoming SYN packets which don't pass the filters are
simply "dropped on the floor" as opposed to being rejected. That way,
a port scanner can't tell whether or not there's actually service on
the port.
If there weren't so many yahoos trying to find open relays... :-(
Seriously, this is completely acceptable behaviour.
 
N

Nishi Bhonsle

Sudsy said:
Nishi Bhonsle wrote:


I think you haven't been around long enough! The port is operating in
"stealth" mode. Incoming SYN packets which don't pass the filters are
simply "dropped on the floor" as opposed to being rejected. That way,
a port scanner can't tell whether or not there's actually service on
the port.
If there weren't so many yahoos trying to find open relays... :-(
Seriously, this is completely acceptable behaviour.

If this cannot be resolved and the reason for opening a socket connection on port 25 was to check whether the host supplied is a valid SMTP Server or not, can I optionally use the Java Mail API to do the same thing in the following way --

import java.util.Properties;
import javax.mail.*;
import javax.mail.internet.*;

public class SmtpConnection {
public static void main (String args[])
throws Exception {
String host = args[0];

// Get system properties
Properties props = System.getProperties();

// Setup mail server
props.put("mail.smtp.host", host); //host supplied through the application UI

// Get session
Session session = Session.getInstance(props, null);

// Define transport
Transport transport = session.getTransport("smtp");
try
{
transport.connect(host, "", ""); // if connection is successful then, the host supplied from the UI is a valid SMTP server host.
}
catch(AuthenticationFailedException afe)
{
System.out.println("For Authentication Failures");
}
catch(MessagingException me)
{
System.out.println("For Other Failures");
}
catch(IlegalStateException ise)
{
System.out.println("If service is already connected");
}

}
}
 
S

Sudsy

Nishi Bhonsle wrote:
If this cannot be resolved and the reason for opening a socket connection on port 25
was to check whether the host supplied is a valid SMTP Server or not, can I optionally
use the Java Mail API to do the same thing in the following way --
<snip>

Not necessarily. If the destination is filtering based on source IP
address (a common approach) then you'll never get to the point of
validation failure; the packets end up on the floor.
The fact is that system administrators (myself included, BTW) have
had to "harden" their systems in order to preclude abuse. You'll find
that many SMTP daemons don't even support the VERIFY (VRFY) command
in RFC-821 since it was used by spammers to "scan" for valid users
within a domain (not far removed from "brute force" or dictionary
methods for password cracking).
The questions you're posing are the same as those of people who
would abuse the system. I'm not for a moment suggesting that's your
intent but it wouldn't be very smart to provide ammunition to those
who want to subvert the system for their own aims, would it?
So now that you realize that your stated goal is unattainable, what
are you going to do instead?
There are no definitive solutions, I'm afraid.
Darn those miscreants! >:-(
 
B

Babu Kalakrishnan

Sudsy said:
Nishi Bhonsle wrote:





I think you haven't been around long enough! The port is operating in
"stealth" mode. Incoming SYN packets which don't pass the filters are
simply "dropped on the floor" as opposed to being rejected. That way,
a port scanner can't tell whether or not there's actually service on
the port.
If there weren't so many yahoos trying to find open relays... :-(
Seriously, this is completely acceptable behaviour.

I think the DROP policy is being implemented on the firewall in front of
the Solaris server (or on that server itself), not on the yahoo.com
server. (If you look at my previous message, I was able to connect
succesfully to the server)

This in my opinion is bad practice. The policy for outgoing connections
from the firewall which are to be denied should always be REJECT rather
than DROP so that the connection fails immediately. A DROP policy is
fine for ingress filtering when you don't want a port scanner from
outside to even see that the machine is up (and also slow it down in its
task).

I still wonder why the difference in connection failure time between the
Solaris machine and Windows one though (since the OP mentioned that both
are behind the same firewall). May be an additional filter on the
Solaris machine ? Or different policies based on different hosts ?

BK
 
G

Gordon Beaton

[...] the reason for opening a socket connection on port 25 was to
check whether the host supplied is a valid SMTP Server or not [...]

For outgoing mail you should be using your own (or your ISP's) smtp
server, not the recipient's.

If you have other reasons for determining what the recipients mail
server is, use a DNS resolver and look for MX records.

/gordon
 
N

Nishi Bhonsle

Gordon said:
[...] the reason for opening a socket connection on port 25 was to
check whether the host supplied is a valid SMTP Server or not [...]

For outgoing mail you should be using your own (or your ISP's) smtp
server, not the recipient's.

I need to determine whether the host name entered through the application by the user is a valid SMTP server host or not.
In order to do that, i am passing that host name to the following constructor --
smtpServer = new Socket ("host name", 25); //i.e. if i can open a socket connection on the given host name on port 25, that means the host name is a valid SMTP server host.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top