Purpose of DNS steering in Steering config

Hello @Siva, 

This controls whether you want the Netskope client to intercept DNS requests for applying DNS Security.  

https://docs.netskope.com/en/netskope-help/data-security/netskope-cloud-firewall/dns-security/

It only should impact DNS requests that aren't configured in NPA App Definitions and is intended for DNS requests to external domains.   One other benefit beyond applying controls (sinkholing requests to malicious domains, tunneling detection, etc)  to the DNS traffic is that outbound DNS requests from the machine are also logged which provides visibility. 

The "Use Publisher DNS" setting on private apps overrides the default behavior of NPA to resolve defined domains to a "stub IP" address that NPA steers.  Enabling this flag instead forwards requests to specified domains to the respective Publishers to get the real IP address of the hostname(s).  In general, hosts defined in NPA take the highest precedence in resolution and steering so DNS security should not impact NPA steering.  

Hello Siva, 

If it's defined by the wild card then all DNS requests for that app will be steered through NPA when Publisher DNS is enabled.  Is Publisher DNS required for the wildcard?  Are all the IP addresses for southshorehealth.org defined in NPA apps as well?  There are ways to force an exception but the DNS request will still be tunneled via NPA. 

Siva,

Does the specified app resolve differently for internal hosts vs external hosts?  If not, you can create a more specific app definition for server1.southshorehealth.org with Publisher DNS enabled.  If you don't define the IP address it resolves to in an app definition then it will resolve via NPA but the connection to the IP address it resolves to will not be steered to Netskope via Private Access (it may still go to the SWG if it's web traffic with a public IP address).  You must also ensure that the IP address is not included in other app definitions via CIDR blocks.