O365 One Click and DNS Interception

Hi. According to Zscaler documentation and training materials, DNS to O365 is being intercepted by Zscaler to make sure users are redirected to the closest Microsoft’s PoP/DC. Does this apply even if we use 3rd party DNS security, such as Umbrella?

Is my understanding correct that the flow will be as follows

User sends DNS query
Zscaler allows it through based on FW policy
Umbrella receives DNS query and sends a reply back
Zscaler intercepts DNS response and replaces IP address with what it believes is closest
User initiates O365 connection

Or… is it as simple as
User sends DNS query
Zscaler intercepts it because it is destined to O365
Zscaler sends DNS response back with what it thinks is the closes IP address
User initiates O365 connection?

In second case it means Umbrella will never ever see any O365 DNS queries

Regards

The DNS optimization function is actually applied during the flow of the actual HTTP/HTTPS data flow. See this page for clarification: https://help.zscaler.com/zia/about-advanced-settings#dns-optimization

-Mike

Thanks @Mike_Richard.

It does say that this feature also works even if SSL inspection is not enabled (bypass) because SNI is visible during TLS handshake. I am trying to understand how redirection happens in this particular case? TCP connection HAS to establish before TLS handshake can happen. This means TCP connection is ALREADY established to the server IP returned by original DNS query/response.

So, you have to terminate original TCP connection and somehow tell the client that it has to re-estblish TCP connection to a different IP.

In case of HTTP and HTTP(S) where you perform decryption it is obvious as you terminate connection and you are in full control, but I am no quite sure how does this one work for bypassed HTTPS?

Would you be so kind to explain?

Regards

Actually, you probably intercept and terminate TCP connection, but then pass through HTTPS through this proxied TCP?.. which makes sense… correct me if I am wrong.

That’s correct, even in the case where TLS inspection is NOT enabled we are still terminating the TCP connection at our enforcement node.

Great. Thanks Mike!

Last thing, I’d like to clarify. DNS optimization feature optimizes DNS for everything except O365 DNS? I believe O365 optimization is being covered by ONE CLICK feature? Is there an overlap between two features?

Scenario A: O365 ONE click is enabled & DNS optimization is not enabled = O365 DNS is optimized, the rest is not
Scenario B: O365 ONE click is disabled & DNS optimization is enabled = O365 DNS is still optimized, as well as other destinations?
Scenario C: O365 ONE click is enabled and & DNS optimization is enabled = all destinations are optimized?

O365 traffic is optimized by default (I believe whether or not One Click is enabled). All other traffic is controlled by the DNS Optimization settings as configured per the Advanced Settings.

1 Like