Using Zscaler with DoH
- Gary Leicht
Zscaler enhances security by enabling customers to redirect DNS traffic to third-party DoH servers. Through Zscaler's platform, customers can redirect traffic to custom Fully Qualified Domain Names (FQDNs) provisioned by them. Leveraging Infoblox Threat Defense, Zscaler forwards DNS queries over DoH to Infoblox-based on FQDNs associated with specific policies.
When traffic is sent over DoH, reports in the Infoblox Portal should show the source as "Unknown."
NOTE: To obtain your FQDN go to the General page of the Create New Security Policy wizard in the Infoblox Portal (Infoblox Portal > Configuration > Security). Copy the auto-generated FQDN, or click regenerate to generate a new FQDN. Note that DoH per Policy must be enabled in order to obtain the FQDN. The format should be https://FQDN/dns-query.
To configure DoH for Zscaler perform the following:
In the Infoblox Portal perform thr folloing:
Step 1: In the Infoblox Portal, navigate to Configuration > Security. Click Create New Policy.
Step 2: On the General page of the Create New Security Policy wizard, copy the auto-generated FQDN or click regenerate to create an new FQDN. Note that DoH per Policy must be enabled in order to obtain the FQDN.
In Zscaler:
Step 3: In Zscaler, navigate to Administration > Proxies & Gateways> DNS Gateway,
In the Add DNS Gateway window, do the following:
Name: Enter a unique name for the DNS Gateway. Only alphanumeric characters are allowed and the name cannot exceed 255 characters.
Protocol: Select DNS over HTTPS from the available list of protocols on the drop-down list.
Primary DNS Server: Enter the Fully Qualified Domain Name (FQDN) of the primary DNS service.
DoH Port: Specify the DNS over HTTPS (DoH) port in the primary DNS service. The default port is 443.
Secondary DNS Server: (Optional) Enter the Fully Qualified Domain Name (FQDN) of the secondary DNS service.
DoH Port: Specify the port number for DNS over HTTPS if the secondary DNS service uses a non-default port. The default port is 443.
Failure Behavior: Select an action that must be performed if the configured DNS service is unavailable or unhealthy:
Return an appropriate error code (SERVFAIL) to the client. If only the primary DNS service is configured, then the error code is sent if the primary DNS service fails. If both primary and secondary DNS services are configured, the error code is sent if both services are unavailable to serve the requests. To learn more, see DNS Insights Logs: Columns.Allow and Ignore DNAT Rules: The DNS request is sent to the originally requested DNS resolver (not specified in the DNS Gateway) using the same protocol as the original user request without applying any DNAT rules configured.
Â
Step 4: Click Save.
Step 5: In the Add DNS Filtering Rule window, do the following:
Rule Order: Enter the order of the rule. Zscaler evaluates forwarding rules in ascending numerical order (Rule 1 before Rule 2, and so on). The rule order setting reflects this rule's place in the order. You can change the value based on your requirement.
Rule Name: Enter a user-friendly name for the rule. The maximum length is 31 characters. (Avoid using the names of rules that were previously deleted. If you reuse an old name, the service displays the logs for both the deleted rule and the new rule when you view the logs.)
Rule Status: Enable this option to actively enforce the rule. Disabling this option does not actively enforce the rule, and the service skips it and moves to the next rule. However, the rule does not lose its place in the rule order.
Network Traffic: Select Redirect Request Using DoH from the drop-down list of choices.
DNS Gateway: Select the DNS gateway created in Step 3.
Step 5: Click Save to save the configuration.
Step 6: Go to the Zscaler Client Connector login page. Click TURN ON to use your DoH configuration with Zscaler.
Â
Â
Â