Our office networks have internal DNS set on them. When a user connects to one of these networks, and try to visit an internal URL like bob.internal.net(We have split brain DNS, internal and external that use the same domain), it would resolve the internal IP, which prevents them from reaching the page successfully because we do not allow IPs in app segment.
One of the approaches we’ve taken to resolve this, is by creating a whole new wireless network, and setting only external DNS on it. This method works, but it does require users to join this wifi network, and sometimes, they don’t join it and it breaks their access.
We can’t make this DNS change on the existing LAN/WIFI networks because it will break certain things. Anyone know how if there is any solution for the above where it would be a seamless move migration for our users?
We are in the same boat around ZPA intercepting the DNS traffic and returning the carrier grade NAT of 100.64.x.x. we have to keep flipping back to our legacy VPN solution to perform accurate lookups.
Might be aggressive, but can we bypass all DNS requests from being intercepted which would produce the correct lookup?
I’m well aware that goes against zero trust. But it also is a holdup for a large scale deployment due to tech folks needing that requirement.
Any more ideas how get around this ZPA vs nslookup nightmare. Zscaler hasn’t provide a work around. The other option I have disabled ZPA and use Cisco vpn
I am not sure I follow the question above. If ZPA is enabled in the office and the URL bob.internal.net is defined for the user seems like it would just be sent as before and be resolved by the App connector. Not sure why defining by IP would be necessary since it would be proxied by the App connector. I assume this is a ZPA question based on app segment being mentioned. I know some disable ZPA while in the office or will only forward certain application not reachable natively while in the office like isolated cloud environments that can only be reached by a App connector in the Cloud VNET/VPC.
We have a infoblox dns server that gets all records from our Active Directory server, which helps us solve nslookups by doing “nslookup serverip infobloxdnsserverIp and that seems to work for us.
ZCC will intercept the DNS lookups. Manipulating DNS results is one method Zscaler users to redirect clients to the appropriate service/destination correctly.
By placing the domain in you own and manipulate via split-brained DNS in the DNS bypass list, the ZCC client will never intercept and manipulate DNS results for that domain.
Will it work with ZPA? It depends. If this domain is part of the services you’ve defined in an App Segment in ZPA, then you cannot add it to DNS bypass, because ZPA relies on intercepting the DNS call for those domains to provide a DNAT address to manipulate the path the client traffic takes. If this domain is not part of your defines applications in ZPA, then yes it will work with ZPA.