In a proxy chaining environment which proxy is responsible for DNS lookups

book

Article ID: 171778

calendar_today

Updated On:

Products

SG-300 Symantec WebFilter (formerly Blue Coat WebFilter - BCWF) SG-600 Intelligence Services SG-510 SG-810 SG-9000 SG-900 SG-S500 SG-S400 Secure Web Gateway Virtual Appliance SG-S200 ProxySG Software - SGOS SWG VA-100

Issue/Introduction

You need to know which proxy, the child (the proxy closest to users) or the parent proxy, (the proxy the child proxy forwards traffic to) will do DNS resolution of forwarded traffic

 

Environment

Proxy chaining is configured

Clients are set up to explicitly connect to the child proxy

Resolution

By default the parent proxy is responsible for doing DNS resolutions of traffic that the child proxy forwards to it.

The child proxy will only do DNS resolution if the traffic is not being forwarded (direct traffic) or if the child proxy contains policy which requires the proxy to do a DNS lookup. If neither of these two conditions are met the child proxy will function correctly without a DNS server configured.

Note: Some services that are configured on the proxy may require DNS resolution be done by the child proxy, Dynamic Real Time Rating (DRTR) is one example. To avoid this you can set up DRTR to forward DNS requests to the parent proxy see DRTR Health Check fails on child proxy