icon-unified.svg
Experience Center

Handling DNS Resolutions for Zscaler Cloud Connector

The following table provides information on how Zscaler Cloud Connector handles DNS resolutions for various traffic forwarding methods:

Traffic Forwarding MethodDNS Resolution Handling
ZPA Traffic ForwardingThe DNS request arrives at any destination IP address for an FQDN request that matches a Private Applications application. Cloud Connector intercepts requests and responds with a customer-defined synthetic IP address from the customer-defined IP pool.
ZIA Traffic ForwardingThe DNS request arrives at Cloud Connector from a workload configured with a custom DNS server destination IP address (e.g., 8.8.8.8). Cloud Connector encapsulates the request with a client source IP and destination DNS IP address (e.g., 8.8.8.8) and forwards the request to Internet & SaaS. You need to configure the Internet & SaaS DNS control and firewall filtering policies to allow the DNS response back to the workload.
Direct Traffic ForwardingThe DNS request arrives at Cloud Connector from a workload configured with a custom DNS server destination IP address (e.g., 8.8.8.8). Custom traffic forwarding policy matches the client source IP address, the destination IP address (e.g., 8.8.8.8), or network service (UDP 53) with the forwarding action set to direct. Cloud Connector forwards this request to the destination IP address, modifying the source IP from the client to its own service IP address (Source NAT).
Direct Traffic Forwarding with Global VIPThe DNS request arrives at Cloud Connector from a workload configured with a custom DNS server destination that matches a Zscaler Global Public Service Edge IP (e.g., 185.46.212.88). Custom traffic forwarding policy matches the client source IP address, the destination IP address, or network service (UDP 53) with the forwarding action set to direct. Cloud Connector performs both source and destination NAT on the DNS request. The source IP is replaced with Cloud Connector's own service IP address and the destination IP is replaced with the current DNS server configured on the Cloud Connector.
Related Articles
Deployment Templates for Zscaler Cloud ConnectorConfiguring Advanced Settings for Cloud ConnectorIdentifying the Zscaler Cloud Connector VersionNetworking Flows for Cloud ConnectorUnderstanding High Availability and FailoverHandling DNS Resolutions for Zscaler Cloud ConnectorStoring Your Secret Credentials in HashiCorp Vault for Google Cloud Platform-Based Cloud ConnectorsDeploying Zscaler Cloud Connector with Amazon Web ServicesDeploying Zscaler Cloud Connector with Microsoft AzureDeploying Zscaler Cloud Connector on the Google Cloud Platform