Zscaler as a router

Question

Is it possible to install zscaler on virtual machine (e.g. linux), and use that machine for accessing only few hostnames? I would point other machines to go via this virtual machine only for those few hostnames, and everything else would go normal way (via my local gateway). Is there some easier way to achieve this?

Basically, I want to prevent zscaler investigating all the traffic I do on my machine.

UPDATE

So, I managed do to this somewhat. I just installed zscaler to vmware ubuntu server, and added iptables rule:

sudo iptables -t nat -A POSTROUTING -o zcctun0 -j MASQUERADE

where zcctun0 is interface that is added by zscaler

I also set in windows hosts file:

55.22.22.22 some.server.com

And I added static route in windows:

route add 55.22.0.0 mask 255.255.0.0 192.168.44.131 if 19

Where if 19 is vmware NAT network interface that virtual machine is using, and 192.168.44.131 is ubuntu's IP on ens33 interface.

The problem I have now - I need to manually visit some.server.com from firefox from within the vmware ubuntu server first, otherwise, in windows I only get connection timeouts, when it tries to connect for the first time. As soon as I open some.server.com in ubuntu, I can access all the servers from windows also.

Any idea?

UPDATE

Seems I don't even need to open the page. I can just do

nslookup some.server.com

inside Ubuntu server and then it works in Windows also (but only for that domain name).

Strange thing is that nslookup returns 55.22.22.22 as the IP (which is my setting already in hosts file). Also seems that zscaler has it's own DNS (127.0.0.53#53) - so I guess it has to be something because of that.

UPDATE

After installing bind9 and making it forwarder to 127.0.0.53, and after adding this in windows power shell Add-DnsClientNrptRule -Namespace ".somedomain.com" -NameServers "192.168.44.131" everything works from beginning. Nice...

Only remaining thing is - how to automatically add static route to the windows when answer is returned by 192.168.44.131 DNS - so it goes via vmware VM

Answer 1

Not possible on windows that I know. Maybe use DNS proxy?

Answer 2

Only remaining thing is - how to automatically add static route to the windows when answer is returned by 192.168.44.131 DNS - so it goes via vmware VM

Answer 3

Welp boss, seems like you're on the right track with your setup and stuff, routing specific traffic through a virtual machine running Zscaler, while allowing other traffic to use your local gateway. However, you've encountered some issues with DNS resolution, and you've made progress toward resolving them.

Just to make sure we're on the same page here: You want to route traffic for specific host names through the Zscaler VM and let everything else use your local gateway? If that be tha case, here's some suggestions to address dat DNS nonsense!

1. DNS Configuration on Ubuntu Server (Zscaler VM):

Ensure that your Ubuntu server (Zscaler VM) is configured to use the appropriate DNS servers. If Zscaler has its own DNS resolver (as you mentioned, 127.0.0.53#53), it's crucial that it resolves the specific hostnames correctly. You may need to configure Zscaler's DNS settings to handle your custom hostname-to-IP mappings.

2. DNS Resolution in Windows:

When Windows tries to access the custom hostnames, it may rely on its own DNS resolution process. Ensure that your Windows machine uses the Ubuntu server (Zscaler VM) as its DNS server for the specific domain(s) you want to route through Zscaler. You've mentioned using Add-DnsClientNrptRule to set this up.

3. DNS Caching on Ubuntu:

In your update, you mentioned that running nslookup some.server.com inside the Ubuntu server seems to resolve the issue for Windows. This suggests that the Ubuntu server might be caching DNS records. Make sure that any DNS caching service on the Ubuntu server is correctly configured to forward DNS queries to Zscaler's DNS resolver.

4. DNS Forwarding with bind9:

You mentioned installing bind9 and configuring it as a forwarder to 127.0.0.53 (Zscaler's DNS). Ensure that bind9 is correctly forwarding DNS queries for the specific domain(s) you want to route through Zscaler. Verify that your DNS configuration in bind9 includes the necessary forward zones.

5. Testing and Verification:

After configuring the DNS settings on both the Ubuntu server and Windows, test DNS resolution for the custom hostnames from Windows to ensure they resolve to the correct IP addresses. You can use nslookup or ping to verify that the DNS resolution works as expected.

6. Clear DNS Cache:

If you make changes to DNS settings on either the Ubuntu server or Windows, it's a good practice to clear the DNS cache on both systems to ensure that the new settings take effect immediately.

Soooooooooooo, by ensuring that both your Zscaler VM and Windows machine are configured to use da correct DNS servers and forwarding rules, you should be able to route traffic for specific hostnames through the Zscaler VM while allowing other traffic to use your local gateway. The DNS configuration plays a critical role as the HMFIC in making this setup work smoothly.

Hope this helps!