I'm running a Ironport WSA in transparent mode.
In advanced proxy config – DNS Options I find the following:
Find web server by:
Specify how the appliance should find the location of the requested web server.
0 = use DNS answers in order
1 = use client supplied address then DNS
2 = use ONLY client supplied address
3 = use client supplied address for next hop connection and Web Reputation (Warning: Destination IP based policies will still use DNS).
Default Value: 1
Can anyone explain why it makes sense to use 1 as the default?
With 1. a user can edit his hostfile and point www.google.com to 123.45.67.89. The request goes to the proxy, which does a dns lookup for www.google.com, but will still forward the request to 123.45.67.89.
Why is the proxy doing a dns lookup, if it doesn't use the answer?
Can anyone see a good reason not to use 0?
It makes sense to me, since the proxy does a DNS request anyway, and this will make the proxy logs more trustworthy.
Best Answer
This could first of all be necessary if for some reason, the client has access to more or different name resolution data than the proxy. You gave one simple example yourself: an entry in the client's host file that is not present on the proxy. Or the client could be talking to a different DNS server.
It could also be an efficiency thing, since with option 0 all DNS requests will be performed twice, once by the client and then again by the proxy. In option 1, the proxy will only perform a DNS lookup as a fallback if the client supplied address doesn't work.
Also note that when a domain uses round robin DNS, the client and proxy might get a different answer to their queries. This would result in a connection to a different server, not the one the client expected to be connected to. This could cause issues with protocols which somehow depend on being connected to the instance returned by DNS. Such a protocol would work with option 1, but not always with option 0.