ProxySG & Advanced Secure Gateway

Broadcom Employee Chris Martin posted Aug 06, 2024 05:07 AM

Deleted as I answered twice apparently. ;-)

Broadcom Employee Chris Martin posted Aug 06, 2024 05:10 AM

Round-robin is done by the DNS server, not the SG. So, the SG only receives one address from the DNS server. If this address is not accessible, the SG will return an error. This will continue as long as the DNS TTL is valid for this host name. Only after the TTL expires will the SG perform a new DNS lookup.

Klaus Klinge posted Aug 07, 2024 03:37 AM

@Chris Martin - Is there a way to check the DNS cache on the Proxy? 
I had the impression (but I last checked this with version 6.5.x) that the TTL is ignored by the proxy.

Web C posted Aug 07, 2024 03:55 AM

@Chris Martin, are you sure about this "Round-robin is done by the DNS server, not the SG. So, the SG only receives one address from the DNS server."?

Yoshinori Kobayashi posted Aug 07, 2024 04:06 AM

Klaus Klinge posted Aug 07, 2024 04:23 AM

Just in case: 
If this question refers to any website on the Internet, then you could possibly intercept the error and redirect this (http redirect) so that his browser initiates a new request. However, this would probably only help if the proxy does not save the response from the DNS server. 

However, if it is a known website, then you can set up a health check for the IP addresses. 
And then a set of rules in the forwarding layer:
server_url.domain="nasa.gov" "is_healthy.fwd.nasa-ip-one"=yes forward("fwd-Nasa-One") forward.fail_open(no) 
server_url.domain="nasa.gov" "is_healthy.fwd.nasa-ip-two"=yes forward("fwd-Nasa-Two") forward.fail_open(no) 

So in Case the DNS-Server delivers IP x and the webserver behind this IP is offline - then fwd.nasa-ip-one would be unhealthy. 
The Forward-Layer would not match the first rule, and will match the second rule -> so the proxy will forward the request to the second IP
This will work also with more than two IPs - you just have to select the order of the rules, because when everything is online the proxy will allways use the first IP and this runs counter to the load balancing via DNS planned by the provider.

Broadcom Employee Chris Martin posted Aug 09, 2024 07:37 AM

I stand corrected. I don't know what I was thinking when I answered.

As @Web C demonstrated, The DNS server returns a number of IP addresses with different IPs and in a different order. The client (in this case the SG) will use the first entry in the list unless it becomes unreachable, in which case it would use the next address in the list. This works as long as at least one of the addresses is available. If all addresses in the list become unavailable, the SG will return an exception to the requesting user. This exception will continue as long as all addresses in the list remain unavailable and for the period of the DNS TTL (yes ProxySG honours the TTL). After the TTL or when the DNS entry is manually deleted in the SG, the next request for the domain will force a new DNS resolution. If the DNS server returns different addresses than before and at least one is available, then the request will be successful. Same goes if the addresses remain the same and at least one is available again.

In the case of download.mozilla.org, I always received the same three although I can see in @Web C's post that they use more than the three I get. Most likely they have a global DNS load balancer that distributes the addresses base on GEO location of the requester. So, when I blocked all three addresses at my FW, I always received an exception. Even after deleting the DNS entry and renewing it. As soon as I unblocked one of the three, requests worked again.

Once again, sorry for the confusion. I should have tested it before responding. ;-)

Broadcom Employee Chris Martin posted Aug 09, 2024 08:03 AM

To answer @Klaus Klinge's question about checking the DNS Cache. Yes, you can check individual entries in cache and manually delete them if you want.

Go to: https://{PROXY}:8082/DNS to get a list of DNs Cache URLs and enter specific DNS record requests.