Hi Mate, As what i understand is that once the NS agent picks up the DNS request assuming that you configured to use your internal DNS it will push the request for resolution before passing along to Netskope for further processing. But if you configure in your client configuration to pass it along to Netskope for resolution then it will not return the traffic, it will straight away proceed from there to allow/block with SWG/Application Module or any other security modules you have in your tenant.

For NPA once request is triggered it will pass along to Netskope cloud then the actual resolution will be done by the NPA publisher to query the configured DNS server and processing the rest of the traffic from there which i believe the mentioned app will be the citrix server.

Hope I did help someway or another.

Thanks man,

You mean to say if the client machine configure their Enterprise DNS in their machine and user is roaming first it would resolve than inspect ??? In this scenario client machine configured Enterprise DNS IP. What is the best practice NETSKOPE Recommend in DNS sec ?

Hi Mate, I am not sure whether your enterprise DNS server is external facing if it is then i would say by default the DNS resolution will be done by your enterprise DNS. Follow by forwarding it to Netskope, with the FQDNs or URLS for further processing. In terms of best practice i just say that if you already have a enterprise DNS server with (DNS Security Inspection) that is accessible by both remote workers or local users within the corporate network the best bet is to make use of it. Unless your customer do have subscription for DNS security for Netskope then you can leave the DNS inspection to Netskope instead.

​@zywong The customer  currently having Infloblox and they want to understand the Traffic flow of netskope as their current flow is like this for remote user (the dns query go to Data center AD than DNS fwd than DNS infloblox cloud this for internet External traffic) They want to understand now what would be the traffic of netskope if NS DNS SEC comes to picture. I cleared one thing that Bypass the internal domain for your enterprise as best practise. Now we are only talking regards External traffic. 

Hi Mate, in this case Netskope will completely take up the DNS request and process within Netskope only from DNS SEC to SWG and etc. It will not be return back to their AD and so on for any DNS request filtering.

Great man,

So if the customer put any DNS IP weather enterprise or global DNS for External traffic. The traffic will steer to Netskope itself inspect resolve it and go forward with SWG.

That’s right because the agent itself will pick it up regardless of what you configure in your network configurations and pass to Netskope. This will then allow Netskope’s DNS Security to filter out malicious request or replies just like what inflobox is doing for your enterprise DNS-Sec.

​
When the customer would like to use the Netskope DNS Security, you have to create a Steering Bypass for your internal local Domains. Netskope will never touch these requests and bypass them:

All other DNS requests will be send to Netskope for inspection. The advantage of a unified platform is to consolidate several services and thus have a simple management but also the possibility to recognize and react to anomalies faster. However Netskope does also support the interoperability with Infoblox DNS Security service.