SIPA app segments give bad DNS?

I have run into an issue and I think I have narrowed it down to something with SIPA. We do not have ZPA per se, but from my understanding, SIPA works on similar principles.

I am setting up a mix of SDWAN and Zscaler, utilizing both ZCC and local IPSEC tunnels for connectivity. We then use Source IP Anchoring (SIPA) for all of the sites that require traffic to come from our own public IP. I am to a point were I am trying to forward all traffic out over local IPSEC tunnels, which works well for everything except for any sites that are listed in our App Segments that forward to our SIPA connectors. It seems that after changing the default route for traffic to take the Zscaler tunnels, all local DNS servers start giving an IP of 10.255.255.x as the response for any URLs in the app segments. As I was writing this I realized that I do not have UDP 53 set on our app segments, could that be the issue?

I should add: our DNS servers do not have the ZCC client on them, only our users do. When the default traffic path is not set to use the Zscaler tunnels, SIPA works fine for all of our users, and since the DNS servers are not proxies, they return normal DNS records for the app URLs. Its only when I change the traffic path to send all traffic to Zscaler that the DNS servers start returning the 10.255.255.x addresses. So I am assuming it has something to do with the DNS servers being non-authenticated traffic, but my knowledge of SIPA and ZPA is limited.

SIPA works for all UDP and TCP traffic, but it’s important to keep in mind that it works differently for non-HTTP(S) traffic vs. HTTP(S) traffic. The main reason is that HTTP(S) packets contain a value that describes the destination FQDN (or IP address) which the ZIA ZEN can use to trigger the SIPA forwarding process. For HTTP, this value is inside the Host header, for HTTPS, the value is inside the SNI. Non-HTTP(S) traffic typically does not have this type of value where the FQDN is part of the session packets, so for non-HTTP(S) traffic SIPA takes a different approach.

Hence, if your SIPA traffic is HTTP(S) only you can simply disable the ZPA DNS Control rules in ZIA (Policy β†’ DNS Control). In case you do require the non-HTTP(S) to function, you will have to keep the DNS Control rules in place. The DNS Control rules are there to allow you to force this traffic to your tunnel to ZIA, i.e. you can send the range into the tunnel. Please note that the IP space used for SIPA DNS resolution is customizable (Administration β†’ IP & FQDN Groups β†’ IP Pool).

To answer your questions:

  1. You do not need to add port 53 to your app segment configuration
  2. ZCC is not required for SIPA to work. First and foremost, your SIPA traffic (i.e. the traffic going to should first make it to ZIA. Once that happens, the SIPA forwarding is handled solely by the ZIA and ZPA cloud.

Happy to answer any follow-up questions you have.

1 Like