Some Zscaler Internet Access setups may see Canary DNS traffic to Thinkst-managed *.cnr.io domains as Non Categorizable or High risk DNS tunnels.
If their DNS policy blocks unknown categories or DNS tunnelling, it may accidentally block normal Canary traffic.
To allow Canary DNS tunnelling traffic, create a custom URL category containing the relevant cnr.io domains, then reference that category in a DNS Control allow rule placed above relevant DNS tunnelling block rule.
Step 1: Create a custom URL category
- In the Zscaler admin portal, go to:
Administration > URL Categories > Add URL Category- Create a new category, for example:
Canary-DNS-Tunneling-Domains- Under URLs Retaining Parent Category, add the following entries:
.<customer-specific-domain-hash>.cnr.io
.cnr.io
cnr.ioFor example:
.abcd1234.cnr.io
.cnr.io
cnr.ioThe customer-specific domain hash is your Canary Console URL hash for example if your Console URL is abcd1234.canary.tools, your domain hash will be abcd1234.
- Give it a description e.g. Domains owned and managed by Thinkst Canary
Step 2: Add the category to a DNS Control allow rule
- Go to:
Policies > Access Control > Firewall > DNS Control- Create a DNS allow rule.
- Set the rule to allow DNS requests where the Request Category matches the custom URL category created above.
Rule Name: Allow Canary DNS Tunelling
Action: Allow
Protocols: Any
Request Categories: Canary-DNS-Tunneling-Domains- Place this allow rule above any rule that blocks high-risk DNS tunnelling, for example:
High risk DNS tunnelsStep 3: Confirm Canary traffic is being allowed
- After the custom URL category is added and referenced in a DNS Control allow rule, Zscaler should allow the Canary DNS tunnelling traffic.
- The logs should show the DNS request matching the allow rule, for example:
reqaction: "Allow"
resaction: "Allow"
reqrulelabel: "Allow Canary DNS Tunelling"