Why DNS is resolving synthetic IP address for the publicly hosted URL

when I am trying to resolve the URL which is publicly hosted, the DNS getting resolved as synthetic IP,
Actually it should resolved to the public IP address.


  • Is the FQDN matching any of the applications defined under ZPA application segments?
  • You should see FQDN resolving to synthetic IP range if it matches ZPA app segment.
  • If the FQDN is resolving to an IP in the subnet then this could be matching SIPA app segment.

Default Client Forwarding policy forwards all traffic (defined in the app segment) via ZPA, so if the url (public hosted) matches any of the wildcard FQDNs defined in the app segment, then to restrict them going via ZPA (resolving to a 100.64.x.x IP) I think you can add a default bypass client forwarding policy just above the default forward, and add more specific (to allow only allowed application to go via ZPA) Client Forwarding policy.