Conditional and Proxy DNS TTL Behavior in Skyhigh Secure Web Gateway (SWG)

SWG DNS TTL Handling

When SWG receives a DNS response, it compares the TTL in the response to the configured Minimum TTL and Maximum TTL values:

• If the received TTL is less than the Minimum TTL, SWG uses the Minimum TTL as the effective TTL.
• If the received TTL is greater than the Maximum TTL, SWG uses the Maximum TTL as the effective TTL.
• If the received TTL falls within the configured range, SWG uses the TTL value as received. 

This ensures that DNS records are not cached for too short or too long a period, regardless of what the external DNS server returns.

Example: How TTL Works in SWG

The following configuration is set under: Configuration > Proxies >  DNS.

Minimum TTL = 5 seconds

Maximum TTL = 600 seconds

• Case 1: TTL in DNS Response = 2 seconds

The TTL received (2s) is less than the Minimum TTL (5s), SWG overrides the received TTL and uses 5 seconds as the effective TTL.

Result: SWG caches this DNS entry for 5 seconds before sending a new DNS query.

• Case 2: TTL in DNS Response = 400 seconds

The TTL received (400s) is within the configured TTL range.

Result: SWG uses 400 seconds as-is to cache the DNS entry.

• Case 3: TTL in DNS Response = 1200 seconds

The TTL received (1200s) is greater than the Maximum TTL (600s), SWG overrides it.

Result: SWG uses 600 seconds as the TTL.

DNS Query Behavior

SWG uses the effective TTL to control how often it queries the same domain, improving both performance and DNS accuracy.

 

How Conditional DNS Resolution Works

SWG sends DNS queries to the local BIND server (usually 127.0.0.1), which forwards them to the remote DNS resolver. The local BIND server applies its own TTL settings (e.g., for positive and negative responses) and returns the DNS response to SWG. SWG then compares the received TTL against its configured minimum and maximum TTL values under Configuration > Proxies >  DNS.

SWG Conditional Cache Behavior

SWG maintains a separate cache based on its own TTL configuration configured under Configuration >  Proxies

• Minimum TTL ensures DNS entries are not cached for too short a duration.

• Maximum TTL caps how long DNS responses are cached, even if the source TTL is higher.
   

 Example: How Conditional TTL Works in SWG

Minimum TTL = 5 seconds

Maximum TTL = 600 seconds

Conditional DNS TTL = 60 seconds (e.g. TTL for positive answer configured under Configuration > Domain Name Service > Conditional DNS) 

When you request google.com, SWG sends a DNS query to the local BIND server, which forwards it to the remote DNS resolver. When the resolver returns a TTL of 300 seconds, the BIND server applies its configured maximum TTL (e.g, 60 seconds) and returns a TTL of 60 to SWG. SWG then compares this value with its own minimum TTL (5 seconds). Since 60 is greater than 5, SWG sets the final TTL to 60 seconds and caches the entry for that duration.

Now, if another request for google.com comes in after 5 seconds, SWG checks the cache. Since the TTL hasn’t expired, SWG does not initiate a new DNS query to the local BIND server.

Regarding Conditional DNS TTL, this sets the maximum TTL value allowed. If the DNS response TTL is greater than the configured Conditional TTL, SWG uses the configured value instead.

For example: 

• If the Conditional DNS TTL is set to 20 seconds and the DNS server returns a TTL of 200 seconds, the final TTL is 20 seconds.

• If the Conditional DNS TTL is set to 20 seconds and the DNS server returns a TTL of 10 seconds, the final TTL is 10 seconds.