Zscaler Private Access and Resolving Wildcard DNS

, ,

We have an interesting problem to overcome. We have some fqdns that resolve to a wildcard, see example:
nslookup hq.pqone-ebookcentral.pre.int.proquest.com
Server: AADC101.proque.st
Address: 172.25.96.30
Non-authoritative answer:
Name: *.ebookcentral-j.pre.int.proquest.com
Addresses: 10.241.119.140
10.241.51.185
Aliases: hq.pqone-ebookcentral.pre.int.proquest.com

If we try to connect to this on VPN everything works just fine. If we try to connect via Zscaler we get nothing, see below:

Anyone else have this issue?

Any ideas on what we can do?

Here is the output when connected with Zscaler

C:\Users\RMorris1>nslookup hq-pqone-ebookcentral.pre.int.proquest.com
Server: RT-AC86U-D908
Address: 192.168.50.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to RT-AC86U-D908 timed-out

Hello Rick,

Can you please open a support ticket to investigate this issue in details? We would have to look at the app segment configuration, client connector logs, etc.

Regards,
Shujaat

nslookup on windows is unlikely to return the synthetic IP address. Consider running a ping to the host and seeing if you then get the synthetic IP. If you’re not getting the synthetic IP address, then check whether you have a ZPA wildcard application segment which matches the FQDN. I notice there are several subdomains in the FQDN (i.e. several dots) - you might need to create an app segment with *.pre.int.proquest.com to ensure all hosts under that are captured correctly.

We have a ticket raised, but nothing yet on what we need to do. Was hoping someone in the community found the same issue and had a quick fix.

Here is the ping output
C:\Users\RMorris1>ping hq.pqone-ebookcentral.pre.int.proquest.com
Ping request could not find host hq.pqone-ebookcentral.pre.int.proquest.com. Please check the name and try again.

C:\Users\RMorris1>

As far as app segments, we have the following:
*.proquest.com
-includes ports 1-52; 54-65535
-health reporting = none
-icmp = enabled
-Client Connector can receive CNAME = enabled

From what I understand, we can go 5 sub-domains deep.
I added *.pre.int.proquest.com and same results

We have another one that had a wildcard and we added the fqdn instead of wildcard and it resolves. For whatever reason anything that resolves to a wildcard for the domain zscaler has no idea how to route it. When looking at logs I see nothing in private portal or cloud portal.