Can we proxy DNS request through ZCC and apply policy on returned values?

We basically want ZPA to send only RFC 1918 to a ZPA wildcard domain? Names, not Ip/Networks? Customer doesn’t have a way, aka subdomain, to distinguish public Internet vs internal if they use a wildcard domain to discover apps. If they send everything to ZPA, it will break their public facing websites. Creating a bypass segment won’t work either as they don’t even know the URL’s that need to be excluded from ZPA other than if it’s based on private IP’s.

In other words, we want ZCC to proxy DNS requests and if the response IP is within 1918 space we forward to ZPA or else let the external sites go direct. How can I enable this solution?

1 Like

This isn’t possible through ZPA configuration today. One approach is to create a “view” in DNS so the server only returns RFC1928 addresses, and a NXDOMAIN for all other responses. Infoblox is an example of DNS servers that (AFAIK) would support such views.

There is an ER out to do policy decisions based on DNS/IP results (in fact: it was coded but never implemented in production); you might want to add your usecase

1 Like

Great! There’re merits to this solution. Currently the customer workflow for publishing external DNS produces a file (effectively creating a AXFR on the publically resolvable addresses) which then serves as a bypass for ZPA so that the wilcard segment excludes external thus hopefully only resolving to internal addresses

Sounds like that would work together quite nicely :slight_smile:

Is there a date for this ER. With Azure Private links being adopted more and more this is something that we are also looking for.