DNS requests sent from a client to the proxy are generally forwarded to the defined DNS server in the ProxySG Network Setup page.
If you have defined more than one DNS server, the ProxySG uses the following logic to determine which servers are used to resolve a DNS host name and when to return an error to the client:
- The ProxySG first sends requests to the DNS servers in the primary DNS server list.
- Servers are always contacted in the order in which they appear in the list.
- The next server in the list is only contacted if the ProxySG does not receive a response from the current server.
- If none of the servers in a list returns a response, the ProxySG returns an error to the client.
- The ProxySG only sends requests to servers in the alternate DNS server list if a server in the primary list indicates that a DNS host name could not be resolved.
If a DNS server returns any other error (other than an indication that a DNS host name could not be resolved), the ProxySG returns the error to the client.
If a server in both the primary and alternate DNS server lists are unable to resolve a DNS host name, an error is returned to the client.
The ProxySG always attempts to contact the first server in the primary DNS server. If a response is received from this server, no attempts are made to contact any other DNS servers in the primary list.
If the response from the first primary DNS server indicates a name error, the ProxySG sends a DNS request to the first alternate DNS server, if one is defined. If no alternate DNS servers have been defined, an error is returned to the client indicating a name error. If the first alternate DNS server is unable to resolve the IP address, a name error is returned to the client, and no attempt is made to contact any other DNS servers in either the primary or alternate DNS server lists.
If a response is not received from any DNS server in a particular DNS server list, the ProxySG sends a DNS request to the next server in the list. The ProxySG returns a name error to the client if none of the servers in a DNS server list responds to the DNS request.
NOTE: The alternate DNS server is not used as a fail over DNS server. It is only used when DNS resolution of primary DNS server returns name error. If a timeout occurs when looking up the primary DNS server, no alternate DNS server is contacted.
If the ProxySG receives a negative DNS response (a response with an error code set to Name Error), it caches that negative response. You can configure the ProxySGs negative response time-to-live value. (A value of zero disables negative caching.) If the dns negative-cache-ttl-override is not configured (this is the default ProxySG setting), the ProxySG caches the negative response and uses the TTL value from the DNS response to determine how long it should be cached. Please see the Command Line Interface (CLI) Reference for further information regarding the "dns negative-cache-ttl-override" setting. The CLI reference can be downloaded from https://bto.bluecoat.com/documentation/pubs/ProxySG/ .