DNS logging in Tunnel 2.0 for Road Warriors

How does one implement DNS logs for Road Warriors (zs client connector version 2+)?
When we go to DNS insights -> logs we can only see DNS logs for road warriors who happen to have an External DNS server configured as their DNS server, there aren’t any DNS logs for road warriors who have a private IP configured as their DNS server.

Hi Rafael, the default Client Connector configuration bypasses private IP space (as defined in RFC1918) from going to the service as it wouldn’t be routable. I think this would apply in your scenario If I’m understanding it correctly.

Hi @phayes you are correct, it does bypass RFC 1918 addresses. The question is, how do we actually implement DNS logging then? Can it not be done unless we switch all our thousands user’s computers to use a public DNS from their ISP (or any public DNS for that matter), instead of their local home router private address?

Today, we have a option to send all DNS requests to Zscaler.
Under App profile, you have Domain Inclusions for DNS Requests, which can be leveraged for this ask.
This is also dependent on new Zapp build 3.2.0.
https://help.zscaler.com/z-app/configuring-zscaler-app-profiles for reference.


@Prajith, thanks. I did see that option sometime back. This is definitely something new, isn’t it?
I guess a follow up question is, how was DNS logging (for roadwarriors with tunnel 2.0 and RFC 1918 address as DNS server ) done before this feature?

If the queries came to us, then we would log it. But since most networks would provide a private IP for DNS, the DNS would escape the tunnel, and not be logged on us.

This was introduced recently, to mainly support Source IP anchoring, cos the DNS queries have to land on us, to get non web traffic to go through ZIA.


@Prajith, 10-4. Thanks.
I am super excited about this feature!