02-02-2022 06:59 AM - edited 02-02-2022 07:07 AM
Solved! Go to Solution.
05-25-2022 02:05 AM
Hi @fw_mon
Sorry for late reply
I was checking in my LAB your configurations
lets say my first Proxy has IP 48.27 and its upstream proxy is 48.28
the 48.27 is using some fault DNS server 3.3.2.1
when I send the request to 48.27 :
as you can see it took about 30 seconds to redirect the request to upstream proxy
WSA tries to resolve for 3 hits then it will forward the request to upstream
also on the other hand WSA need a reliable DNS server for its internal usages and modules such as WBRS + updater and ...
hope this will help you out
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
05-15-2022 01:59 PM
if you are using Explicit Proxy mode, WSA will go and query for DNS records
if you use Transparent Proxy mode, we can configure WSA to trust the Client DNS resolution or do the name resolution it self
this is where this configuration is for :
>advancedproxyconfig > DNS > 3 = Very limited DNS usage --> it means that trust the client DNS resolved IP
05-15-2022 02:42 PM
Thank you @amojarra
currently our WSA doesn't able to resolve external DNS hostnames. I see all these failed DNS queries in tcpdump capture. Does failed DNS lookup have any negative consequences like increased latency or missing reputation information? If yes, is DNS mandatory for WSA behind an upstream proxy? The response latency for most websites is reasonably low. How WSA handle this situation internally?
I know from other vendors, that a downstream proxy usually doesn't need external DNS resolution.
05-17-2022 02:43 PM
Hi @fw_mon
WSA use DNS for two reasons:
1- For its Proxy service
2- For its internal Services such as WBRS ( WEB REPUTATION SCORE ), WSA need to resolve the FQDN to IP to check if The IP is blacklisted, and for other checks
For the Proxy procedures, if the WSA can not resolve the URL it will try to resolve the FQDN for couple of times, it depends to the number of DNS servers you have provided in the WSA.
regarding the upstream Proxy, since it is Explicit, WSA will send HTTP Connect to its UP-stream Proxy server, and the Name resolution to the web server will happens there.
I suggest :
[1] check if the FTP is enabled on your WSA ( if not CLI > ifconfig > edit > management interface > Do you want to enable FTP on this interface? [N]> Y > hit enter to end the wizard > commit )
[2] connect Via FTP . navigate to folder Track_Stat
[3] Download Prox_track.log
[4] you can check the latency in couple of sections :
- Client Time : time took from Client to WSA
- Server Transaction Time : time from WSA to WebServer
- DNS time : DNS time
For Example in below line:
Client Time 631.0 ms 7415
there are 7,415 requests which took 631milli seconds from Client to WSA Since the device was last rebooted
in order to find the number of current occurrence, you have to substract these values from 2 time periods
each section are for 5 minutes time stamp.
so in this case if I have :
17 May 2022 05:02:07 ... Client Time 631.0 ms 7415
17 May 2022 05:05:07 ... Client Time 631.0 ms 7815
we have 400 connections took 631ms from Client to WSA
same will be for DNS and Servers.
for more information you can check this link:
https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-3771.pdf
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
05-19-2022 06:56 AM
Hello @amojarra
many thanks for your explanations.
We reduced an WBRS update interval from 5m to 1d some time ago, and even recently disabled WBRS completely. Nevertheless WSA continues to perform DNS lookups. I still see a lot of DNS requests in tcpdump.
For proxy services, I expected that WSA don't need a destination IP if an upstream proxy is used. WSA just need to CONNECT to the upstream proxy and send a request line to it.
Below are some screenshots of statistics your requested - client and server times are high, but I think these are just times how long are TCP connections are kept alive, not HTTP/HTTPS timing, our proxy cannot see them because SSL Scanner is not active.
DNS time are quite OK, because DNS resolution of internal hosts works and internal DNS servers work as intended.
Can you please confirm that WSA need external DNS resolution even in upstream proxy deployment?
Many thanks amojarra!!!
05-25-2022 02:05 AM
Hi @fw_mon
Sorry for late reply
I was checking in my LAB your configurations
lets say my first Proxy has IP 48.27 and its upstream proxy is 48.28
the 48.27 is using some fault DNS server 3.3.2.1
when I send the request to 48.27 :
as you can see it took about 30 seconds to redirect the request to upstream proxy
WSA tries to resolve for 3 hits then it will forward the request to upstream
also on the other hand WSA need a reliable DNS server for its internal usages and modules such as WBRS + updater and ...
hope this will help you out
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
05-25-2022 03:16 AM
thank you @amojarra
based on your testing I'll assume WSA _requires_ DNS resolution even if it behind an upstream proxy.
I accepted your post as solution, many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide