Web site or video loads slowly / Remote host does not have DNS name (RDNS)

book

Article ID: 167154

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

A web site loads slowly
The video loads slowly or times out
The remote host does not have a DNS name associated with its IP address
When you do a ping -a <ip.address.of.remote-host>, no DNS name is returned.
One particular site is slow, but all other sites are quick to load.

Resolution

Slow web site access or slow video access can be a symptom of many different things.  This document will focus on reverse DNS (RDNS) as the main problem and the steps that can be taken to identify RDNS as the problem.  At the end of this article, there will be links to other articles for possible performance problems in case your issue is not an RDNS issue.

If you suspect that RDNS is failing or taking a long time to occur, you can restrict RDNS lookups occurring on the ProxySG.  To do that, please do the following items:

1.)  Login to the Management Console (https://<ip.address.of.proxysg>:8082 )
2.)  Go to the Configuration tab > Policy > Visual Policy Manager > Launch
3.)  With the Visual Policy Manager window open, click on Configuration > Set Reverse DNS Lookup Restrictions...
4.)  In the DNS Lookup Restrictions, change the default of None to Listed host patterns.  Click on the Add button.
5.)  Enter in the host or subnet and click on the Add button.  When finished, click on the Close button.
6.)  Click on Install Policy.
7.)  Test

If you have done the above changes and from a packet capture you determine that RDNS is still occurring, there are other potential configuration issues that may be affecting it.  Here are a few other things to check for:

 

SMARTFILTER CONTENT FILTER MAY CAUSE RDNS TO OCCUR

If you are running the SmartFilter content filter, it is possible that the RDNS lookup is being initiated by SmartFilter.  To disable SmartFilter's RDNS, please do the following steps:

1.)  Login to the Management Console (https://<ip.address.of.proxysg>:8082 )
2.)  Go to the Configuration tab > Content Filtering > Third-Party Databases > SmartFilter tab
3.)  Remove the check next to Allow RDNS and click on the Apply button.
4.)  Test.

NOTE about disabling RDNS for SmartFilter:  "Disabling reverse DNS prevents SmartFilter from correctly classifying some sites and can increase the likelihood of the ProxySG appliance serving inappropriate content."  Because removing RDNS can negatively affect site classification, please use judgement when disabling RDNS for SmartFilter.

 

CLIENT.HOST CPL CAUSING RDNS TO OCCUR

Within VPM (and CPL) there there is the Client Hostname option.  In VPM the Client Hostname option looks like this:    If you see this icon in VPM, you are using the Client Hostname option, which will cause an RDNS lookup to occur.  In CPL, you can be using the following commands:

    client.host= 
    client.host.exact=
    client.host.prefix=
    client.host.regex=
    client.host.substring= 
    client.host.suffix= 
 

To resolve the issue, do not use the Client Hostname option within VPM or CPL.  If you need to restrict policy to a specific workstation or user, try using another method, such as IP address or workstation group.  If you want to quickly find out if you are using client.host CPL command in your proxy's configuration, please do the following.

1.)  Login to the Management Console (https://<ip.address.of.proxysg>:8082 )
2.)  Change the URL to read as follows:  https://ip.address.of.proxysg>:8082/sysinfo   Note:  This will show you the system information of your ProxySG
3.)  Using your web browser, search for client.host.  If it exists, make a note of it and the names of the hosts.
4.)  Remove the sysinfo from your URL to go back into the Management Console.
5.)  Go look for the offending policy.  The offending policy may be in the local policy file or it may be in VPM.  If you are using VPM, search for the client.host icon or look in your local policy file for client.host commands.

 

TROUBLESHOOTING:

To troubleshoot a RDNS issue, you can take a packet capture on the ProxySG when the problem is manifesting itself.  Download the packet capture and use a protocol analyzer, such as Wireshark to analyze the packet capture.  You can add the following as a display filter:

dns.time>.5

What that filter will do is show any DNS requests that took longer than 1/2 (0.5) of a second.

 

.