ZScloud DNS servers ip addresses


(Alex) #1

We would like to create a firewall rule with ZScaler NGFW, which would allow our internally DNS servers to query ZScaler DNS servers, instead of Google DNS servers. Which IP address should we permit DNS traffic to at ZScaler cloud?


(Andy Logan) #2

Moving to the access control category (firewall) @Naresh_Kumar_PM


(Naresh Kumar ) #3

Alex

if the internal DNS traffic is originated behind your router and traffic is forwarded via GRE/IPSEC tunnel, it automatically leverages Zscaler DNS for resolution.

-Naresh


(Alex) #4

I would like to know the actual IP addresses for ZScaler DNS cloud, so I can forward my DNS traffic there.


(Scott Bullock) #5

You can use the ZEN VIP’s as DNS resolvers, to do this you must be coming
for a registered and configured location IP or tunnel.


(Ramesh M) #6

Hi,

I was tried this, made 165.225.106.34 as DNS resolver and the traffic coming from known location. The result is unsuccessful.

Let me know if I missed anything.

Regards / Ramesh M


(Ramesh M) #7

The result is

C:\Users\WIN7>nslookup rediff.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 165.225.106.34

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\WIN7>


(Sri Subramanian) #8

Ramesh,

As Naresh said, you don’t directly access our DNS servers. However, by
default, if we see DNS traffic, we reroute it to our internal servers (with
Google as backup for loadsharing). You have to configure DNAT to override
this default behavior.

Same for O365 dns optimization. No explicit work required, and in this
case, we dont even need to see the dns request as we will resolve based on
SNI.

Hope that clarifies.


(Ramesh M) #9

Hi Sri,

Thanks if I am using GRE+PAC without local DNS senario, is any Zscaler DNS server I can configure on PC.

DNS will happen at Zscaler end if I am forwarding all traffic to Zscaler through GRE without PAC.

How the PAC resolution happen if no local DNS senario.

Regards / Ramesh M