Thank you @amojarra 

currently our WSA doesn't able to resolve external DNS hostnames. I see all these failed DNS queries in tcpdump capture. Does failed DNS lookup have any negative consequences like increased latency or missing reputation information? If yes, is DNS mandatory for WSA behind an upstream proxy? The response latency for most websites is reasonably low. How WSA handle this situation internally?

I know from other vendors, that a downstream proxy usually doesn't need external DNS resolution.

Hi @fw_mon 

WSA use DNS for two reasons:

1- For its Proxy service 

2- For its internal Services such as WBRS ( WEB REPUTATION SCORE ), WSA need to resolve the FQDN to IP to check if The IP is blacklisted, and for other checks  

For the Proxy procedures, if the WSA can not resolve the URL it will try to resolve the FQDN for couple of times, it depends to the number of DNS servers you have provided in the WSA. 

regarding the upstream Proxy, since it is Explicit, WSA will send HTTP Connect to its UP-stream Proxy server, and the Name resolution to the web server will happens there. 

I suggest : 

[1] check if the FTP is enabled on your WSA ( if not CLI > ifconfig > edit > management interface > Do you want to enable FTP on this interface? [N]> Y  > hit enter to end the wizard > commit ) 

[2] connect Via FTP . navigate to folder Track_Stat

[3] Download Prox_track.log 

[4] you can check the latency in couple of sections :

           - Client Time  : time took from Client to WSA

           - Server Transaction Time : time from WSA to WebServer

           - DNS time : DNS time 

For Example in below line:

Client Time 631.0 ms 7415  

there are 7,415 requests which took 631milli seconds from Client to WSA Since the device was last rebooted 

in order to find the number of current occurrence, you have to substract these values from 2 time periods 

each section are for 5 minutes time stamp.

so in this case if I have :

17 May 2022 05:02:07   ...   Client Time 631.0 ms 7415

17 May 2022 05:05:07   ...   Client Time 631.0 ms 7815

we have 400 connections took 631ms from Client to WSA

same will be for DNS and Servers.

for more information you can check this link:

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-3771.pdf

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Hello @amojarra 

many thanks for your explanations.

We reduced an WBRS update interval from 5m to 1d some time ago, and even recently disabled WBRS completely. Nevertheless WSA continues to perform DNS lookups. I still see a lot of DNS requests in tcpdump.

For proxy services, I expected that WSA don't need a destination IP if an upstream proxy is used. WSA just need to CONNECT to the upstream proxy and send a request line to it.

Below are some screenshots of statistics your requested - client and server times are high, but I think these are just times how long are TCP connections are kept alive, not HTTP/HTTPS timing, our proxy cannot see them because SSL Scanner is not active.

DNS time are quite OK, because DNS resolution of internal hosts works and internal DNS servers work as intended.

Can you please confirm that WSA need external DNS resolution even in upstream proxy deployment?

Many thanks amojarra!!!

thank you @amojarra 

based on your testing I'll assume WSA _requires_ DNS resolution even if it behind an upstream proxy.

I accepted your post as solution, many thanks.