DNS Inclusion and Exclusion doesn't work as expected

I have a use case to sent dns lookup of particular domain [DNS inclusion] to Zscaler cloud and send all other DNS queries locally [DNS exclusion]. i am using RFC 1918 DNS server [home router IP] along with Tun2.0. I can either tunnel all DNS request to zscaler or Bypass all DNS request and send locally. I am unable to achieve the desired outcome [Tunnel specific domain and bypass all other domains]. I used 3.7, 3.8, 3.9 version ZCC. No luck. i raised ticket [03521152 ] with Zscaler couple of weeks ago.

Did anyone deployed successfully in your enviroment?

1 Like

Hey @Ganeshkrishnan : Can you please share MA screenshot , if this is a bug i might not help but config issues i might be able to help.
My understanding is you did Include abc.com and exclude * everything ?

i have configured in below way to forward lookup for google and facebook to Zscaler and rest locally. it doesn’t work.

image

what if you try just google.com instead of www.google.com?

I have a test profile where 4 domains get sent back for internal dns servers and everything else is sent to zscaler and it works quite well. We currently run version 3.6.0.26 in Tunnel 2.0 mode.

Do you see blocks in the DNS logs? or is it not sending them at all?

i changed the dns inclusion as requested. ZCC ver 3.6.0.26. if my dns server is internal 10.X.X.X, all DNS request is bypassed. if i use public DNS, all DNS request is tunneled. i run wireshark parallelly and filter “DNS” to ensure whether DNS traffic is tunneled via DTLS or send DIRECT.

Domain Inclusions for DNS Requests: google.com
Domain Exclusions for DNS Requests:
Destination Exclusions: 10.0.0./8
Destination Inclusions: 0.0.0.0/0

Domain Inclusions for DNS Requests: google.com
Domain Exclusions for DNS Requests: *
Destination Exclusions: 10.0.0./8
Destination Inclusions: 0.0.0.0/0
image

And still no luck? Can yoou try reversing your configuration just to see if it works or not? so under DNS inclusions use * and under exclusions your Internal domains?

I am wondering if their is a presedence issue here as your use case is the reverse of what they would typically expect?

If you run a packet capture from within ZAPP as well, you can see the physical Interface and the LWF traffic. are you using route based or packet filter based in your forwarding profile?

i reversed the configuration. Still the results are same. all the DNS request are Bypassed and seen in Wireshark Capture adapter when my DNS server is 10.X.X.X.

Domain Inclusions for DNS Requests:
Domain Exclusions for DNS Requests:google.com
Destination Exclusions: 10.0.0./8
Destination Inclusions: 0.0.0.0/0

Domain Inclusions for DNS Requests: *
Domain Exclusions for DNS Requests: google.com
Destination Exclusions: 10.0.0./8
Destination Inclusions: 0.0.0.0/0

Theoretically, DNS inclusion and exclusion works as mentioned below, Not sure if details helps

• for a DNS query ZCC checks the domain inclusion/exclusion lists:
• if the domain is included, the query goes to Zscaler. A domain example.com will match the subdomains such as abc.example.com or xyz.example.com
• if the domain is excluded, the ZCC will now checks the Z-Tunnel2.0 IP Destination Inclusion/Exclusion lists

So, if the domain is excluded, but the DNS SERVER IP address is a public one (for example 8.8.8.8) it still goes to Zscaler through Z-Tunnel 2.0.

If the DNS server IP address is not excluded in Destination Exclusion list, it will still go through Zscaler (even if the domain is excluded from the DNS).

@Ganeshkrishnan : If you are on tunnel 2.0 and the DNS inclusions dont work as per your screenshot configuration , Please go ahead and file a bug.

Vaishnavi | PM | Client Connector.

Yes i submitted an TAC case 03521152. Explained and demostrated the issue to the engineer. Waiting for them to review and replicate at Zscaler end.