AZ Asia-Pacific - Zscaler Help Centre

ZPA DNS & Routing

ZPA routing decision are based on

1. Lowest RTT to serve the user (Zscaler Client Connector)
2. From Egress will determine which node is nearest to the app

  • When the client issues a DNS request, ZCC intercepts that request.. If ZCC identifies the FQDN as a ZPA internal application domain, ZCC will send a request to the upstream Broker called a "DNS Client Check". 

  • ZCC waits for the Broker to confirm that this is a valid DNS request before proceeding with redirection into ZPA.

If the Broker confirms that this is a valid domain for ZPA interception, ZCC responds with a synthetic IP from the netblock that belongs to its virtual interface. This is the synthetic IP. 

100.64.0.1/16 (RFC6598) is the network ZCC uses for its synthetic IP addresses. In the client's local routing table, ZCC adds a route for this netblock to its virtual interface.