Non-qualified domains

Is it possible to configure ZPA to route all non-qualified domains internal via ZPA? I’ve found a business unit who highly leveraged non-qualified internal DNS records to make “shortcuts” to services; they even map shared drives via non-qualified names. Seeing that non-qualified names don’t do much on the internet; ZPA should treat these as inside of a private zone, right?

I think I could add all of the unqualified names to the ZPA “this is internal” table; but that would be painful.

Hi Mark,

There’s no way to configure ZPA to send all non-qualified domain names internally, but we do have a feature that may help you address this use case:

You can specify your internal DNS search domains in ZPA, and those DNS domains will be queried when the user enters a non-qualified domain name. That will enable the shortname entered by the user to match a wildcard domain or FQDN defined in a ZPA app segment. Please see https://help.zscaler.com/zpa/about-applications/dnsDomains for details…

Regards,
Lisa

Hi Lisa - thanks. We have the search domains set up in Zscaler; but it appears to not run through the complete list. I can see in the logs that it appends the first search domain in the list (the domain default) to the hostname, and sends it through for internal resolution where it fails because that host doesn’t exist in that zone.

I am not sure if this is a problem with my Windows search domains, or an issue with how Zscaler handles internal DNS resolution.