I have run into an issue and I think I have narrowed it down to something with SIPA. We do not have ZPA per se, but from my understanding, SIPA works on similar principles.
I am setting up a mix of SDWAN and Zscaler, utilizing both ZCC and local IPSEC tunnels for connectivity. We then use Source IP Anchoring (SIPA) for all of the sites that require traffic to come from our own public IP. I am to a point were I am trying to forward all traffic out over local IPSEC tunnels, which works well for everything except for any sites that are listed in our App Segments that forward to our SIPA connectors. It seems that after changing the default route for traffic to take the Zscaler tunnels, all local DNS servers start giving an IP of 10.255.255.x as the response for any URLs in the app segments. As I was writing this I realized that I do not have UDP 53 set on our app segments, could that be the issue?
I should add: our DNS servers do not have the ZCC client on them, only our users do. When the default traffic path is not set to use the Zscaler tunnels, SIPA works fine for all of our users, and since the DNS servers are not proxies, they return normal DNS records for the app URLs. Its only when I change the traffic path to send all traffic to Zscaler that the DNS servers start returning the 10.255.255.x addresses. So I am assuming it has something to do with the DNS servers being non-authenticated traffic, but my knowledge of SIPA and ZPA is limited.