ProxySG & Advanced Secure Gateway

 View Only
Expand all | Collapse all

DNS query on Bluecoat proxy.

Umesh Manyar

Umesh ManyarSep 12, 2018 04:45 AM

  • 1.  DNS query on Bluecoat proxy.

    Posted Sep 10, 2018 11:55 PM

    Hi,

    Just have one query on Blucoat proxy DNS query resolutions. On proxy server if we configured Multiple DNS server under primary server group name then bluecoat will send DNS query to all DNS server which configured under primary dns servers group or just one server which is configured first.

    Exaplme 

    group name primary --- > 10.1.1.1, 10.1.1.2,10.1.1.3, 10.1.1.4 

    Group alternate--> None 

    In above example 4 servers are configured under primary servers group then blucoat sends DNS query to all four servers or to just 10.1.1.1 server..?

     

    Also, what will happen if i configured DNS server in alternate DNS server..?

    Exaplme 

    group name primary --- > 10.1.1.1, 10.1.1.2,10.1.1.3, 10.1.1.4 

    Group alternate--> 10.1.1.5

     

     

    Regards,

    Umesh

     



  • 2.  RE: DNS query on Bluecoat proxy.

    Broadcom Employee
    Posted Sep 11, 2018 12:03 AM

    Hi Umesh,

     

             Does the article https://support.symantec.com/en_US/article.TECH241525.html answers your query ?



  • 3.  RE: DNS query on Bluecoat proxy.

    Posted Sep 11, 2018 12:25 AM

    Hi Aravind,

     

    Thank you very much for your this reply.

    But sorry to say that but i am not able to understnd that explannations. some statements are contradict to each others. can you explain me or is there any way where we can get on call.

     

    Regards,

    Umesh

     



  • 4.  RE: DNS query on Bluecoat proxy.

    Broadcom Employee
    Posted Sep 11, 2018 12:43 AM

    Hi Umesh,

                     Unfortunately, we can’t offer a call for forum post. You need to contact Support numbers for raising a case and then talk to the assigned TAC personal for more details on this. Trying to make it bit simpler. Some lines are copy-pasted from the article

    For a Primary group, the below will be true

    • The ProxySG first sends requests to the DNS servers in the primary DNS server list.
    • Servers are always contacted in the order in which they appear in the list.
    • The next server in the list is only contacted if the ProxySG does not receive a response from the current server.
    • If none of the servers in a list returns a response, the ProxySG returns an error to the client.

    If a server in the above Primary list returns a "Name Error", then only proxy will check with Alternate server list. For the Alternate list also the below will be applicable

    • Servers are always contacted in the order in which they appear in the list.
    • The next server in the list is only contacted if the ProxySG does not receive a response from the current server.
    • If none of the servers in a list returns a response, the ProxySG returns an error to the client.


    Now with this as the order in which the servers are used, can you share the confusion so that I can try to answer it to best of my knowledge



  • 5.  RE: DNS query on Bluecoat proxy.

    Posted Sep 11, 2018 01:55 AM

    Hi,

    Now I am understand first primary list get check and then secndary list will get check in secvence. 

    Thanks for this explanations.


    Also, Statement in red color stating that if time out occurs or some issue in DNS resolution in primary list first server then what will happen ..? as per this statement this is outage. am i right..? is there any way we can avoid this outage..?


    NOTE:  The alternate DNS server is not used as a fail over DNS server.  It is only used when DNS resolution of primary DNS server returns name error.  If a timeout occurs when looking up the primary DNS server, no alternate DNS server is contacted.



  • 6.  RE: DNS query on Bluecoat proxy.

    Broadcom Employee
    Posted Sep 11, 2018 03:10 AM

    Hi Umesh,

                 The Alternate list will not be checked if there is no response from any of the Primary servers. The Alternate is "only" used if a Primary server gave back a "Name Error" in return. If the first server in the list gives back a "Name Error" then the Proxy will check the Alternate list’s first server and only in this scenario.

    In case of the first DNS server in the Primary list fails and not responding, proxy will continue using the next server in the Primary list itself. This shouldn’t be causing an outage. You are to use multiple DNS servers within the Primary list for failover and that should be enough to cover in case of a DNS server failure. Alternate's purpose is not failover.

     



  • 7.  RE: DNS query on Bluecoat proxy.

    Posted Sep 11, 2018 04:29 AM

    Sorry i am asking multiple questions but one confustions again.

    As you mentioned "If the first server in the list gives back a "Name Error" then the Proxy will check the Alternate list’s first server and only in this" So what will happen if primary list having multiple servers ? when alternate server will get use..?

     

     



  • 8.  RE: DNS query on Bluecoat proxy.

    Broadcom Employee
    Posted Sep 11, 2018 04:33 AM

    Hi Umesh,

                   Even if you are having multiple servers in the Primary list, when one of the servers give back a "Name Error" proxy will turn to the Alternate servers immediately. No checking will be done against the rest of the Primary servers. I am not able to find an exact use case for this to be designed this way.

     

     



  • 9.  RE: DNS query on Bluecoat proxy.

    Posted Sep 11, 2018 04:44 AM

    Hello,

    One theory for this design would be that the primary group is primarily designed to contain your organisations DNS servers (multiple DNS servers for redundancy) and if one of them doesn't have the record the it's somewhat unlikely that any of the other DNS server would have a record. 

    The alternative group shouldn't be used that often so it can be used to ask external (publicly available) DNS servers if they have a record.

    I too tried to find documentation on why it's designed this way but same as aravind i wasn't able to find anything relevant so this is just a best guess.

    BR

    Matt



  • 10.  RE: DNS query on Bluecoat proxy.

    Posted Sep 11, 2018 05:01 AM

    Thank you Arvind and Matt for all your explanantions.

     



  • 11.  RE: DNS query on Bluecoat proxy.

    Posted Sep 12, 2018 12:43 AM

    One more question here. 

    If Alternate server list first server also give name error then what will happen what will proxy do next..? Again proxy will send query to second server in primary list or what..?



  • 12.  RE: DNS query on Bluecoat proxy.

    Broadcom Employee
    Posted Sep 12, 2018 02:07 AM

    Hi Umesh,

     

                     If the first server in the Alternate list gave back a "Name Error", proxy will send exception to client. It won't be checking any further servers down.



  • 13.  RE: DNS query on Bluecoat proxy.

    Posted Sep 12, 2018 02:35 AM

    So in which case alternate servers list will get use..? I mean servers configured in alternate list secound, third and fourth and so on..

     

    regards,

    Umesh



  • 14.  RE: DNS query on Bluecoat proxy.

    Broadcom Employee
    Posted Sep 12, 2018 04:34 AM

    Hi Umesh,

                 Proxy will only use "Alternate" server list if it is getting a "Name Error" from one of the Primary List. If there is no response from the Primary list of servers, the Alternate list will be never contacted. Let’s say that one of the primary server gave back a "Name Error", then proxy will start checking with the Alternate servers in the same order as they are in the list. If the first one is not giving any response, it will attempt the next one and so on. This is the only scenario when the servers listed (2nd, 3rd etc) in the Alternate list will be used



  • 15.  RE: DNS query on Bluecoat proxy.

    Posted Sep 12, 2018 04:45 AM

    Thank you very much for this explanations.