I’m following on the post Zscaler provide DNS Services
When using Zscaler as DNS server, do we recommend customers’ to use specific Zscaler DNS servers like 184.108.40.206/35 or something else? We are forwarding the traffic to ZScaler via IPSEC, do we have to have an explicit firewall rule to allow DNS quires to 220.127.116.11/35?
Hi @avshch, I believe this post should answer your question - DNS Control deployment architectures, options
@jhelmer Thank you for the reference. Is there any approach to NTP service?
To my knowledge Zscaler doesn’t provide public NTP services, so I would recommend any public NTP service from ntp,org, NIST (US), etc. If using ZIA Cloud Firewall, you would just need to allow the NTP Network Service / Network Application.
Use the Network Service definition for NTP in the firewall as well and not UDP-123.
@GordonWright that’s what we are doing now, but at some point we will be asked to use authenticated NTP. With authenticated NTP we would require to register with NTP source. They are only allowing one registration per company and being a subdivision of a global corp we are not allowed for our own registration. Knowing that we can use ZScaler DNS resolver (with DNS SEC enabled)for DNS queries , we were hoping for utilize the same approach for NTP (if available). Thanks,
would NTS instead of NTP be an alternative for you?
Or sync your time against your ‘motherships’ internal NTP servers (assuming such exist and allow you to)
@Thomas it would be great if we had an option to sync our clocks with NTS or anything on ZScaler side!
not directly ZScaler (which would be a nice additional service they could+should provide) but you could eg sync against time.cloudflare.com via NTS; Introducing time.cloudflare.com
@Thomas thank you for the info. I presume we would need to allow the traffic to Cloudflare NTP service through ZScaler firewall policy, correct? Or is it available before the the traffic hits ZScaler firewall policy? Thanks,
Correct, a simple rule like ‘any → time.cloudflare.com port xyz - allow’ should be all what’s needed here.