DNS requests sent from a client to the proxy are forwarded to the defined DNS server in the EdgeSWG network configuration. Entries will be cached on the proxy for the duration of the TTL.

If you have defined more than one DNS server, the proxy uses the following logic to determine which servers are used to resolve a DNS host name and when to return an error to the client:

• The proxy first sends requests to the DNS servers in the primary DNS server list.
• (For SGOS 7.2.1 and SGOS 6.7.5.3 and earlier 6.7 releases) Servers are always contacted in the order in which they appear in the list.
• (For SGOS 7.2.2 and all later 7.x releases, and SGOS 6.7.5.4 and later 6.7 releases) Servers are contacted in the order in which they appear if they are online. If a server is offline, it is skipped and the next online server is contacted.
• The next server in the list is only contacted if the proxy does not receive a response from the current server.
• If none of the servers in a list returns a response, the proxy returns an error to the client.
• The proxy only sends requests to servers in the alternate DNS server list if a server in the primary list indicates that a DNS host name could not be resolved.

If a DNS server returns any other error (other than an indication that a DNS host name could not be resolved), the proxy returns the error to the client.

If a server in both the primary and alternate DNS server lists are unable to resolve a DNS host name, an error is returned to the client.

The proxy always attempts to contact the first server in the primary DNS server. If a response is received from this server, no attempts are made to contact any other DNS servers in the primary list.

In SGOS 7.2.1 and SGOS 6.7.5.3 and earlier 6.7 releases, if the response from the first primary DNS server indicates a name error, the proxy sends a DNS request to the first alternate DNS server, if one is defined. If no alternate DNS servers have been defined, an error is returned to the client indicating a name error. If the first alternate DNS server is unable to resolve the IP address, a name error is returned to the client, and no attempt is made to contact any other DNS servers in either the primary or alternate DNS server lists.

In SGOS 7.2.2 and all later 7.x releases if a response is not received from any DNS server in a particular DNS server list, the proxy sends a DNS request to the next server in the list. The proxy returns a name error to the client if none of the servers in a DNS server list responds to the DNS request.

NOTE:  The alternate DNS server is not used as a failover DNS server.  It is only used when DNS resolution of primary DNS server returns name error.  If a timeout occurs when looking up the primary DNS server, no alternate DNS server is contacted. For timeouts, additional servers in the primary group would be used for redundancy/failover.

If the proxy receives a negative DNS response (a response with an error code set to Name Error), it caches that negative response.  You can configure the proxys negative response time-to-live value.  (A value of zero disables negative caching.) If the dns negative-cache-ttl-override is not configured (this is the default proxy setting), the proxy caches the negative response and uses the TTL value from the DNS response to determine how long it should be cached.  Please see the Command Line Interface (CLI) Reference for further information regarding the "dns negative-cache-ttl-override" setting.  

The changes in SG-28266 from 7.3.7.1 should drive DNS traffic to servers at the top of the list instead of only going down the list and sticking to a server that is responding with an answer.
 
The new code should use the health checks of the server as well as respect the order of the servers for preference from top to bottom.
 
After 6.7.5.4 and 7.2.2

SG-9432 Fixes an issue where the appliance's boot up was delayed or could not be completed if offline DNS servers appeared in the list of servers before online servers in the primary group or alternate groups if all primary DNS servers were offline.

After 6.7.5.16 and 7.3.7.1

SG-28266 Fixes an issue where the appliance did not honor the configured DNS server preference after a primary or
alternate server went offline and then came back online.