FQDN used in Advanced Firewall rule

Hi,
FQDNs can be used in “Destination IPs” tab for the Advanced Firewall module. Does someone has experience with that?
Are there further requirements for that like sending DNS traffic to Zscaler?
How is this the resolution done here in general? Is this mapped to users or locations?
I think DNS resolution “done from clients” might be different from DNS resolution “done from other clients” or “done from Zscaler DC” due to different resolvers or countries / region.
Will “DNS over TLS” / “DNS over SSL” affect this feature somehow?

Thanks for your help in advance!
Best regards
Andreas

Hi @Andreas, When FQDN is configured, Zscaler Enforcement Nodes( ZENS) will automatically resolve the IPs and cache them locally using Zscaler DNS servers local to DC/POP. When traffic hits ZEN, it will match the cached IPs against Dest IP to enforce the policy.

We don’t need to see DNS, we use Zscaler DNS resolvers. Since it is local to ZEN, it uses geolocation.

yes, for your comment on DNS resolution.

DNS over TLS/SSL will not have an impact because we are not relying on client DNS to be forwarded to us.

We also have an option to overwrite the Dest IP based on Zscaler resolved DNS IP.

1 Like