What is DNS Control?

DNS Control is a unique DNS proxy mechanism that provides complete visibility and control to all DNS regardless of DNS resolvers targeted on the internet or DNS protocols used (UDP, TCP, or encrypted DNS over HTTPS) and improves overall DNS and user experience.

DNS Control provides unmatched policy control to mitigate the risk of malware transmission, identify infected endpoints using DNS tunnels, and enforce domains visited comply with organizational standards and acceptable use. DNS also blends domain geo-location into policy and can block based on this policy in addition to allow or redirecting the request or forging a DNS response IP address value.

DNS response performance is greatly increased using the optional recursive resolvers in each of Zscaler’s 150 data centers and provides geo-proximate resolutions so roaming users always get the best and nearest domain access points.

DNS Control also includes detailed dashboard reporting and forensically complete and enriched logs for every DNS transaction.

DNS Control is available as a module of Cloud Firewall, included in the Essential edition (new for FY23) or available standalone.

DNS Control features include:

  • Complete visibility and control into every DNS requests and response regardless of DNS resolver selected by endpoint/user or TLS encryption or evasive behavior
  • Categorize domain requests or IP responses on a per user/group/department basis
  • Blend rule conditions with request type, geo-location
  • DNS tunnel categories and DNS applications as a rule condition (Not included in Essentials or Business Editions)
  • Protocol type as a rule condition and includes DNS over UDP, DNS over TCP, or DNS over HTTPS
  • Block, Allow, redirect request, re-write DNS response values as configurable actions (Not included in Essentials or Business Editions)
  • Rule policy applies to recursive and iterative requests
  • Optionally redirect all (or just conditionally selected) recursive DNS requests to Zscaler Trusted Resolver (ZTR) in each local data center for performance and added security (DNSSEC iterative resolutions)
  • DNS dashboard reporting
  • Available API for domain/URL categorization queries
  • Log every transaction in forensically complete and enriched format

Great post! Now sure if my question is related to this but I’ll ask anyway:

When ZCC is enabled with both ZIA + ZPA, and with Tunnel 2.0 + Packet Filter, what DNS servers are being used when DNS Control is enabled? Is it my ISP’s or Zscaler’s?

How about when DNS is disabled?

Thanks in adv.