The Zscaler Trusted Resolver (ZTR) clusters located in each data center along with the DNS Control capability of Advanced Cloud-Gen Firewall resist DNS poisoning is two main ways:
If the customer chooses to DNAT route (and redirect) DNS traffic to our Zscaler Trusted Resolver (ZTR) then we use DNSSEC on the backend for our iterative resolutions. This verifies the authoritative server and domain response when the external authoritative DNS supports. Not all authoritative DNS servers support DNSSEC but the ZTR will always try DNSSEC first. It will do this in an iterative manner and so, for example, get the key for root, then the TLD etc.
Regardless of whether our ZTR is used or some 3rd party public DNS is used, DNS Control will check the domain and the IP response for indications that the IP is used for malicious purposes or is categorized in a category that the customer does not want. This will eliminate some bad DNS responses (particularly the “Malicious” category) looking to poison the end user’s cache and detect caches that are poisoned.
We typically hold DNS records in the local cache per data center for the TTL duration.
The diagram below shows both where DNSSEC is employed and the resolver versus transit options enabled by Destination NAT configuration rules in the Firewall Filtering section of the UI console: