ExceptionFilter in ZSATunnel log file for 8.8.8.8

,

While working through some DNS issues I see in the ZSATunnel Log file entries such as these below. However, I don’t have such an exception listed in any of our ZCC App Profiles. Does anyone else have this entry in their log files?

ZSATUNNEL_DATE.log: DBG getExceptionFilters: Adding exception filter for Entry: IP: 8.8.8.8 MASK: 32 Protocol 17 Port: 53-53

ZSATUNNEL_DATE.log: DBG addToFilterTable: Adding:[ IP: 8.8.8.8 Mask: 255.255.255.255 Adapter: 8 Type: ZIA Include/Exclude SRC_PORT: 0 - 0 DST_PORT: 53 - 53 Protocol: UDP ACTION: Redirect IP_PROTO: IPv4]

ZSATUNNEL_DATE.log: IP: 8.8.8.8 Mask: 255.255.255.255 Adapter: 8 Type: ZIA Include/Exclude SRC_PORT: 0 - 0 DST_PORT: 53 - 53 Protocol: UDP ACTION: Redirect IP_PROTO: IPv4

I’m trying to determine where this is originating. Any guidance would be greatly appreciated.

ZCC - Windows 10, 3.4.0.124 & 3.4.1.4

Thank you,

Joe Ringham

I assume you have configured 8.8.8.8 as your primary DNS server. ZCC needs to bypass DNS server in order to be able to do local DNS requests.

When on-trusted network these normally are your internal DNS servers. When user is on home network or some public WIFI, the network DHCP server might be configured to use the Google DNS (8.8.8.8/8.8.4.4.).

The configured DNS server need to be automatically bypassed from ZTunnel 2, as your device needs to be able to resolve the Zscaler services (PAC files, Zscaler nodes, and any local services).

Does this answer your question?

If we bypass ZTunnel 2 for DNS requests then we cannot enforce the DNS policy in Zscaler?

I follow your logic however, the local dns server is not configured as 8.8.8.8 rather the local wifi router 192.168.1.x. Also, notice in the log message the action is Redirect and not Bypass.

This is why I am confused and trying to find out where this item for 8.8.8.8 is coming from.

Thank you,

Joe Ringham

Joe,

If you want to send your DNS traffic to Zscaler via Ztunnel 2.0, you can do so by Entering * in the Domain Inclusions in App Profile and put it any required Domain Exclusions.

Screenshot 2021-07-07 at 15.04.36

As Domain Exclusion for DNS Requests you probably want to add internal domains and any external domains you want to resolve locally… (eg. zscaler.com and zscloud.net)

The Google DNS question I can’t answer. If your local DNS is pointing to 192.168.x.x. and you don’t know yet where the 8.8.8.8 DNS comes from, I suggest that you open a support ticket and work with them to analyse the logs.

If you have found the answer, I hope you let us know here on the Community.