How to redirect DNS requests to Zscaler

We have users in office who use Zscaler via GRE tunnel. DNS Control is setup to allow DNS resolution.
If a user (or a malware) issues a DNS request explicitly targeting an internet DNS Server, we would like that to be redirected to Zscaler.

So “nslookup” should not go to Instead we want to redirect it to Zscaler for resolution.

We tried using a DNS Control policy with Action=Redirect and redirect server as one of the Global ZEN VIP: but that fails.

Please advise how to redirect to Zscaler in such cases.

Are you using Tunnel 1.0, 2.0 or tunnel with local proxy?

If it’s via GRE the ZEN will automatically intercept it.

Tunnel 2.0 from remote and GRE from offices

If that is the case, I am good!

Just looking for some documented evidence that this is indeed the case.