Two boxes with same model and version but showing different result when testing DNS".

There is a difference in DNS resolution on both appliances: Appliance on left  is showing "Sending A query for URL to DNS Server" whereas appliance on the right do not show any such output. 

Why appliance uses 8.8.8.8 public DNS instead of first internal addresses on the list?

Is there any ageing time out for cache DNS entries and default DNS cache expiration time?

The different behavior seen in the screenshot is caused by the DNS cache for the domain (CACHE HIT). If DNS query was not resolved in the past it will show CACHE MISS and an A record query.

The use of 3rd DNS was due to failure of 1st and 2nd DNS servers.

To test the dns via CLI on the appliance omitting DNS cache use the command with bypass

ProxySG> test dns google.com bypass-cache

Force DNS for test:

ProxySG> test dns google.com <ip address of first DNS>

Customer's DNS config:

<INTERNAL DNS>

<INTERNAL DNS>

< PUBLIC DNS 8.8.8.8>

DNS resolution via public IP 8.8.8.8 seen and not by the primary IPs is caused by name error resolution in the previous DNS servers which triggers the use of next DNS configured on the list - 8.8.8.8.

If the failure of DNS happens with first or second server, the successful resolution is taken and name resolution will stick to the working DNS. The Edge SWG will continue to use the last DNS server that worked without an issue in this case - 8.8.8.8, regardless of list priority in configuration.

Edge SWG will change priority of last working DNS - 8.8.8.8 to the next DNS server in the list only when it receives a failure or if the server address is removed from the list of configured DNS servers in Edge SWG or DNS configuration changes.

NOTE: Using the public Google DNS in the configuration might have impact on authentication realms set on Edge SWG which will be not resolved by public Google DNS.

How DNS resolution on the EdgeSWG (ProxySG) works:

In SGOS 7.2.2 and all later 7.x releases, and SGOS 6.7.5.4 and later 6.7 releases, the appliance contacts the last DNS server in the primary group that responded successfully. If no record of a successful query exists, the appliance contacts servers based on the order that they are configured in the primary. The server that the appliance successfully contacts will be contacted again for future queries.

Default DNS cache expiration time in the Edge SWG (Proxy SG) appliance:

• DNS query cached is based on the response from the respective DNS server(s) configured:
• If DNS responds that the query is non-cacheable, the cache time-to-live (TTL) is set to 0.

If DNS responds that the query is cacheable, the cache TTL is set to a value in seconds.

There is an option to change TTL regarding Caching for Negative Responses (it is enabled by default)