"ISP DNS Hijacking" behavior with short names over ZPA

Has anyone encountered ISPs responding to DNS requests when using legacy short names? This is inhibiting the ability to leverage our DNS suffix lists while utilizing ZPA. While we are pushing for companies to use FQDN, we still support a large amount of legacy technologies that utilize short names.

This is not a ZPA issue, but was hoping someone else had encountered this and if so, have you had any work arounds? Unfortunately having users change DNS servers or opt out of this behavior is not efficient at scale nor do we want to ask users to make changes to their networks.

Hello Garrett,

One way to solve this issue, is to set ‘Domain validation in ZApp’ option when specifying DNS Search domains in ZPA - https://help.zscaler.com/zpa/about-applications/dnsDomains ZApp will respond with NXDomain for invalid domains and in turn allow OS to cycle through additional search domains.