ZPA routing decision are based on
1. Lowest RTT to serve the user (Zscaler Client Connector)
2. From Egress will determine which node is nearest to the app
When the client issues a DNS request, ZCC intercepts that request.. If ZCC identifies the FQDN as a ZPA internal application domain, ZCC will send a request to the upstream Broker called a "DNS Client Check".
ZCC waits for the Broker to confirm that this is a valid DNS request before proceeding with redirection into ZPA.
If the Broker confirms that this is a valid domain for ZPA interception, ZCC responds with a synthetic IP from the netblock that belongs to its virtual interface. This is the synthetic IP.
100.64.0.1/16 (RFC6598) is the network ZCC uses for its synthetic IP addresses. In the client's local routing table, ZCC adds a route for this netblock to its virtual interface.