Z-Tunnel2.0 always bypasses TCP53


// We’ve been told that this is the FEATURE by ZScaler support.
// But we want to restrict our employee not to directly access to the internet.
// Does someone has any idea?

We have configured ZCC to send almost all traffic to ZEN with Z-Tunnel 2.0.
Of course some types of traffics are configured to be bypassed due to the necessity of local function, such as DNS,DHCP on home router.
But we’ve expected traffics directed to internet to go through ZEN without any exception.

However, we found that when we use TCP53 then the traffics are always bypassed.
We can directly access to the internet using TCP53.

We’ve conducted several tests with my AWS instance,binding some server application to TCP53.
For example…

case1) HTTP-Proxy(squid) binded to TCP53
ideal) [Browser] → [ZEN] → [AWS/Squid:TCP53] → [Origin Server]
actual) [Browser] → [AWS/Squid:TCP53] → [Origin Server]

In this case,using TCP53, I was able to access the internet without any policy enforcement.
// Proxy configuration is enforced by ZCC.
// So in my test,I used FireFoxPortable.

case2) SMTP-Server(postfix) binded to TCP53.
ideal) [MUA] → [ZEN] → [AWS/postfix:TCP53]
actual) [MUA] → [AWS/postfix:TCP53]

In each test I found provider-provided global IP address(NOT ZEN IP) logged on server log.
So traffics should have been sent directly to the internet, bypassing ZScaler.

We want our employee not to directly access the internet.
Does anyone have possible solution?


How are you bypassing DNS? DNS operates on TCP & UDP port 53. If you’re bypassing 53 for both protocols, then you would be going direct when destined for TCP53.


In the first place, we do not allow TCP53 to be bypassed. The problem is that traffics that are not supposed to be bypassed are in fact being bypassed.

But oddly enough, we have confirmed that DNS is not actually bypassed. It looks as if someone on the computer is only intercepting DNS traffic.

We see the very same issue. Ztunnel 2.0 profile is not set to bypass DNS but still TCP traffic to the public Internet port 53 is allowed straight out through the users Internet connection without going through Zscaler. Any insights into this is much appreciated.

This can easily be tested using “dig” in a WSL shell (in my case Ubuntu 20.04):

$ dig @ns1.google.com TXT o-o.myaddr.l.google.com +short +notcp
"" <<< Zscaler IP as expected when using UDP
$ dig @ns1.google.com TXT o-o.myaddr.l.google.com +short +tcp
"xx.xx.xx.xx" <<< My broadband IP returned when executing the same query via TCP