Troubleshooting high latency due to DNS using a policy trace

book

Article ID: 170684

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

When taking a trace file, the following information can be found (the values below vary depending on the environment)

Total time added: 12345 ms

Total latency to first byte: 12345 ms

Request latency: 12345 ms

    OCS connect time: 12345 ms

    Response latency (first byte): 12345 ms

     Response latency (last byte): 12345 ms

We can also tell when we face this issue by looking at the time that takes place between the checkpoints client-in and server-out. This is because the DNS query takes place right before the proxy sends the request out to the destination.

client-in: start 10 elapsed 0 ms
server-out: start 12345 elapsed 0 ms

Cause

In general DNS lookup is needed for policy evaluation and forwarding to the right IPs. In a reverse proxy scenario, a forward DNS lookup is not required due to the fact that the client is the one performing the DNS queries resolving to a public IP. So in this case, we need to add special entries in the proxy to tell it not to perform DNS lookups for the sites we are having issues with. There are some cases in which this lookup may be required in reverse proxy deployments. More information on this can be found in article TECH242768.

If the DNS Lookups are performed, they can sometimes take too long to reply back, making the proxy unable to move onto the next step (HTTP/HTTPS request). This can cause a high latency issue.

Resolution

  • Access the Management Console
  • Go to Configuration > Policy > VPM (Visual Policy Manager) > Configuration > DNS Lookup Restrictions
  • Click on "Listed host patterns"
  • Add and type in the name of the domain that's having issues as shown below: