Skip to content

DNS flows

Here's an overview of how DNS works when you access an application using ZTNA. You can access an application with the ZTNA agent, or through your browser.

DNS flow with agent

DNS agent flow

  1. The remote user attempts to access a private application, app.mycompany.net, through their browser.

  2. The DNS request is intercepted and forwarded to the ZTNA agent.

    Note

    The ZTNA agent resolves the private application FQDN to the Carrier Grade Network Address Translation (CGN) network IP and also handles all the traffic destined for the private application's FQDN.

  3. The ZTNA agent sends a DNS request to the public DNS server for the ZTNA gateway's IP address. This is needed to establish the tunnel with the ZTNA gateway.

    Note

    The public DNS server has an A record entry for the ZTNA gateway that points to the gateway’s IP.

  4. The public DNS server sends the ZTNA gateway's IP address (203.0.113.20) back to the ZTNA agent.

  5. Mutual TLS encryption is performed between the ZTNA agent and the ZTNA gateway, and a tunnel is established. All communication with the ZTNA gateway happens over the secure tunnel.

  6. The agent sends the application traffic for app.mycompany.net to the ZTNA gateway through the tunnel.

  7. The ZTNA gateway sends the DNS query for app.mycompany.net to the private DNS server to find out where the specific application server IP is.

  8. The private DNS server returns the application server’s IP address (192.168.1.20) and traffic is forwarded by the ZTNA gateway to the application server.

  9. The remote user can access the private application through the tunnel.

Note

The user can only access the private application after authentication and authorization, but they aren't included in this topic.

DNS agentless flow

DNS agentless flow

  1. The remote user attempts to access a private application, app.mycompany.net, through their browser.

  2. The DNS request is sent from the remote user's browser to the public DNS server, which resolves the private application's name to the ZTNA gateway's name and IP address.

    Note

    The public DNS server has a CNAME record for the private application, which points to the FQDN of the ZTNA gateway. It also has an A record for the ZTNA gateway, which points to the gateway’s IP address.

  3. The public DNS server sends the ZTNA gateway’s IP address (203.0.113.20) back to the user's browser.

  4. A web request is then sent from the user's browser to the ZTNA gateway.

  5. The ZTNA gateway sends the DNS request for app.mycompany.net to the private DNS server.

  6. The private DNS server returns the IP address of app.mycompany.net (192.168.1.20).

  7. The ZTNA gateway forwards the request (app.mycompany.net) to the application server.

  8. The user can connect to the ZTNA Gateway to access the private application.

Note

The user can only access the private application after authentication and authorization, but they aren't included in this topic.