Secure Internet and SaaS Access (ZIA)
Understanding Zscaler Authoritative DNS Servers
Zscaler authoritative DNS servers support EDNS0 client subnet options of the EDNS0 protocol. To learn more, refer to RFC 7871: Client Subnet in DNS Queries and RFC 2671: Extension Mechanisms for DNS (EDNS0). These authoritative DNS servers can accurately identify the origin of the DNS requests by looking into the client subnet options and return precise DNS responses based on the user's location.
For example, let's consider a client from a remote location in South Africa requesting DNS resolution for gateway.zscalertwo.net
using the Google public DNS (8.8.8.8). The request is routed to the nearest Google data center in Switzerland. The DNS recursive resolver in Switzerland then contacts the zscalertwo authoritative name servers located in Washington D.C. If the client request includes the client subnet options, then the authoritative DNS server in Washington D.C. identifies the client's origin. It then returns the Virtual IP address (VIP) of the Zscaler data center in Johannesburg or Capetown, whichever is the closest one to the client in South Africa.
This feature helps significantly reduce the latency between the users and Zscaler PoP by routing the users to the nearest PoP. It widely benefits the end users who use public DNS servers such as OpenDNS, Google, Infoblox, and so on.