Does anyone know of zscaler9 and its products? We are getting a large number of DNS lookup hits on our DNS server from zscaler9 sattelites / proxies. They appear to be a security provider who sits MITM to cleanse traffic for corps? Are there users of this product in MB, or Canada? Is this a big thing or a little thing? Can anything justify large quantities of DNS queries from them from all over the world? It looks like they intercept DNS and spoof with their own stuff, but if their proxies are caching shouldn't they only produce a sane/normal amount of hits?
Not sure about the "9", but Zscaler is a legit product/platform, I think one local IT consultancy sells it and another white-labels it and sells it that way. I don't know much about how it works, though, can't help there. -Adam Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Trevor Cordes <trevor@tecnopolis.ca> Sent: Thursday, April 9, 2026 3:01:00 AM To: MUUG RndTbl <roundtable@muug.ca> Subject: [RndTbl] is zscaler9 a thing here? Does anyone know of zscaler9 and its products? We are getting a large number of DNS lookup hits on our DNS server from zscaler9 sattelites / proxies. They appear to be a security provider who sits MITM to cleanse traffic for corps? Are there users of this product in MB, or Canada? Is this a big thing or a little thing? Can anything justify large quantities of DNS queries from them from all over the world? It looks like they intercept DNS and spoof with their own stuff, but if their proxies are caching shouldn't they only produce a sane/normal amount of hits? _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
On 2026-04-09 03:01, Trevor Cordes wrote:
Does anyone know of zscaler9 and its products? We are getting a large number of DNS lookup hits on our DNS server from zscaler9 sattelites / proxies. They appear to be a security provider who sits MITM to cleanse traffic for corps?
Yes. It is a enterprise focused web content filter service that also provides remote access and internal app fronting.
Are there users of this product in MB, or Canada? Is this a big thing or a little thing? Can anything justify large quantities of DNS queries from them from all over the world? It looks like they intercept DNS and spoof with their own stuff, but if their proxies are caching shouldn't they only produce a sane/normal amount of hits?
Yes there are users in MB and most definitely Canada. Depends on whether their resolver end-points handle TTLs correctly (wasn't always the case) or they have a bug. As to sourcing, could be someone playing with a local resolver or scraper tool that happens to be fronted by their service. Rando guess. -- Sean
On 2026-04-09 Sean Cody wrote:
Yes. It is a enterprise focused web content filter service that also provides remote access and internal app fronting.
Thanks Adam & Sean. So it's a thing. But they possibly are, singlehandedly, going to force muug into a much more expensive DNS hosting tier. We're talking many hundreds of hits a day from *each* of their geological dispersed proxies -- from all over the world. I'm miffed by abuse/stupidity when it doesn't cost anything but CPU cycles, but I'm extra miffed when possible abuse/stupidity will cost the club triple (plus!). Ideas before they get the banhammer?
On 2026-04-09 11:19 p.m., Trevor Cordes wrote:
I'm miffed by abuse/stupidity when it doesn't cost anything but CPU cycles, but I'm extra miffed when possible abuse/stupidity will cost the club triple (plus!).
Ideas before they get the banhammer?
At the literal technological level regarding "is zscaler9 a thing here" is way outside my knowledge base until between the three of you (Trevor, Adam & Sean) with my thanks collectively put the pieces together. For many years now, I've come to recognize that at the global level we are into a technological arms race... having used computers for over 40 years when all I had was a slide rule at University and at the time my grandfather made ready use of the Abacus he himself had made, when he together, with my father were filling out their paper-based income tax. Simply put, where into a multidimensional global technological arms race where individual bad actors have ever smaller buttons to push, with ever more ease that unleash ever more powerful tools. Just think over my lifetime on a farm I have hauled grain with a manual steering wheel pickup truck and today it's common practice for many farmers to have multiple 30 wheeled automated this and that B-trains doing in a day what we only completed over many years! My point? Ever heard of a SLAPP suit (Strategic Lawsuit Against Public Participation) ? If we see that as SLAPP-suit 1.0; is not the ubiquitous multitiered answering machine many companies have that hold a human person on the line while a machine tells us how much they appreciate us having patience until an overworked, under resourced and underpaid offshore employee will be happy to address our issue in practice a SLAPP-suit 2.0 and AI 3.0 never mind the many other tools available? I've been told MUUG is not a political forum so will leave aside some of the political organising I'm spending serious time on, however every one of our MPs over my lifetime, metaphorically are busy driving a 30 wheeler and have not enough hours in the year to be accessible to all their constituent as they do their party leaders bidding. In short, if we don't start hanging together more, as the adage goes, we will all hang together, thanks to someone with but CPU cycles, will cost the club triple (plus!) However the solution is within reach when we altogether in any discrete voting district speak with a united voice, in the the accumulated unified voice of 1 Person = 1 Vote outweigh the few who operate on $1 = 1 Vote as in a few CPU cycles extort without limit...
Twitter has become a cesspool, but LinkedIn remains a useful place to call out bad behaviour by companies. https://www.linkedin.com/company/zscaler/ - but don't "Message" them, instead write a post on your timeline @mentioning them. (We just had this at $WORK and it's a stupid way to get a company's attention, but it does work, to a point.) or, 1-408-533-0288, they also publish phone numbers on their website, but be prepared to waste a bunch of time. Also, send me the raw details, I may be able to verify and find an internal contact via my (human) networking network. -Adam -----Original Message----- From: Eduard Hiebert <eduardhiebert@eduardhiebert.com> Sent: Friday, April 10, 2026 1:06 AM To: roundtable@muug.ca; Trevor Cordes <trevor@tecnopolis.ca> Subject: [RndTbl] Re: is zscaler9 a thing here? On 2026-04-09 11:19 p.m., Trevor Cordes wrote:
I'm miffed by abuse/stupidity when it doesn't cost anything but CPU cycles, but I'm extra miffed when possible abuse/stupidity will cost the club triple (plus!).
Ideas before they get the banhammer?
At the literal technological level regarding "is zscaler9 a thing here" is way outside my knowledge base until between the three of you (Trevor, Adam & Sean) with my thanks collectively put the pieces together. For many years now, I've come to recognize that at the global level we are into a technological arms race... having used computers for over 40 years when all I had was a slide rule at University and at the time my grandfather made ready use of the Abacus he himself had made, when he together, with my father were filling out their paper-based income tax. Simply put, where into a multidimensional global technological arms race where individual bad actors have ever smaller buttons to push, with ever more ease that unleash ever more powerful tools. Just think over my lifetime on a farm I have hauled grain with a manual steering wheel pickup truck and today it's common practice for many farmers to have multiple 30 wheeled automated this and that B-trains doing in a day what we only completed over many years! My point? Ever heard of a SLAPP suit (Strategic Lawsuit Against Public Participation) ? If we see that as SLAPP-suit 1.0; is not the ubiquitous multitiered answering machine many companies have that hold a human person on the line while a machine tells us how much they appreciate us having patience until an overworked, under resourced and underpaid offshore employee will be happy to address our issue in practice a SLAPP-suit 2.0 and AI 3.0 never mind the many other tools available? I've been told MUUG is not a political forum so will leave aside some of the political organising I'm spending serious time on, however every one of our MPs over my lifetime, metaphorically are busy driving a 30 wheeler and have not enough hours in the year to be accessible to all their constituent as they do their party leaders bidding. In short, if we don't start hanging together more, as the adage goes, we will all hang together, thanks to someone with but CPU cycles, will cost the club triple (plus!) However the solution is within reach when we altogether in any discrete voting district speak with a united voice, in the the accumulated unified voice of 1 Person = 1 Vote outweigh the few who operate on $1 = 1 Vote as in a few CPU cycles extort without limit... _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
Hello Adam, Here are the top abusive DNS queries from zscalar9 for muug.ca for the 3 day period 2026-03-09 through 2026-03-11: (there are probably a lot more as this was only from our top 20 list) muug.ca IP Addr Host Count 2026-03-09: 165.225.54.154 atl2-svc1.zscaler9.net 432 128.177.125.158 chi1-svc4.zscaler9.net 381 165.225.54.155 atl2-svc2.zscaler9.net 372 128.177.125.157 chi1-svc3.zscaler9.net 346 165.225.42.154 dfw1-svc1.zscaler9.net 337 137.83.176.154 bos1-svc1.zscaler9.net 304 137.83.141.154 mia3-svc1.zscaler9.net 254 137.83.176.155 bos1-svc2.zscaler9.net 235 2026-03-10: 165.225.54.155 atl2-svc2.zscaler9.net 448 165.225.54.154 atl2-svc1.zscaler9.net 402 128.177.125.158 chi1-svc4.zscaler9.net 283 128.177.125.157 chi1-svc3.zscaler9.net 281 165.225.42.154 dfw1-svc1.zscaler9.net 248 2026-03-11: 165.225.54.154 atl2-svc1.zscaler9.net 426 165.225.54.155 atl2-svc2.zscaler9.net 371 137.83.146.154 den3-svc1.zscaler9.net 268 137.83.146.155 den3-svc2.zscaler9.net 247 Our TTL's are set to 7 days. Thanks for offering to help with your human networking network. -- Bradford C. Vokey Treasurer Manitoba UNIX User Group On 2026-04-10 8:28 a.m., Adam Thompson wrote:
Twitter has become a cesspool, but LinkedIn remains a useful place to call out bad behaviour by companies. https://www.linkedin.com/company/zscaler/ - but don't "Message" them, instead write a post on your timeline @mentioning them. (We just had this at $WORK and it's a stupid way to get a company's attention, but it does work, to a point.) or, 1-408-533-0288, they also publish phone numbers on their website, but be prepared to waste a bunch of time.
Also, send me the raw details, I may be able to verify and find an internal contact via my (human) networking network.
-Adam
zscaler is a cloud based proxy service. It is used by customers to proxy end-user web traffic through zscalers servers so the traffic can be filtered based on a number of criteria, primarily security but also based on the content of the web sites. Their customer base does include large enterprises based in Canada. My guess would be that zscaler is proxying DNS traffic for many of its customers causing the traffic to appear to originate from the same locations even though it may be many individual customers making the queries. They have many proxies spread around the world and customers can choose which exit points they want their traffic to proxied from. zscaler is a reputable company so I'm pretty certain the DNS traffic is legit but if it is causing issues then you should reach out to them. John On Fri, Apr 10, 2026 at 8:29 AM Adam Thompson <athompso@athompso.net> wrote:
Twitter has become a cesspool, but LinkedIn remains a useful place to call out bad behaviour by companies. https://www.linkedin.com/company/zscaler/ - but don't "Message" them, instead write a post on your timeline @mentioning them. (We just had this at $WORK and it's a stupid way to get a company's attention, but it does work, to a point.) or, 1-408-533-0288, they also publish phone numbers on their website, but be prepared to waste a bunch of time.
Also, send me the raw details, I may be able to verify and find an internal contact via my (human) networking network.
-Adam
-----Original Message----- From: Eduard Hiebert <eduardhiebert@eduardhiebert.com> Sent: Friday, April 10, 2026 1:06 AM To: roundtable@muug.ca; Trevor Cordes <trevor@tecnopolis.ca> Subject: [RndTbl] Re: is zscaler9 a thing here?
On 2026-04-09 11:19 p.m., Trevor Cordes wrote:
I'm miffed by abuse/stupidity when it doesn't cost anything but CPU cycles, but I'm extra miffed when possible abuse/stupidity will cost the club triple (plus!).
Ideas before they get the banhammer?
At the literal technological level regarding "is zscaler9 a thing here" is way outside my knowledge base until between the three of you (Trevor, Adam & Sean) with my thanks collectively put the pieces together.
For many years now, I've come to recognize that at the global level we are into a technological arms race... having used computers for over 40 years when all I had was a slide rule at University and at the time my grandfather made ready use of the Abacus he himself had made, when he together, with my father were filling out their paper-based income tax.
Simply put, where into a multidimensional global technological arms race where individual bad actors have ever smaller buttons to push, with ever more ease that unleash ever more powerful tools. Just think over my lifetime on a farm I have hauled grain with a manual steering wheel pickup truck and today it's common practice for many farmers to have multiple 30 wheeled automated this and that B-trains doing in a day what we only completed over many years!
My point? Ever heard of a SLAPP suit (Strategic Lawsuit Against Public Participation) ?
If we see that as SLAPP-suit 1.0; is not the ubiquitous multitiered answering machine many companies have that hold a human person on the line while a machine tells us how much they appreciate us having patience until an overworked, under resourced and underpaid offshore employee will be happy to address our issue in practice a SLAPP-suit 2.0 and AI 3.0 never mind the many other tools available?
I've been told MUUG is not a political forum so will leave aside some of the political organising I'm spending serious time on, however every one of our MPs over my lifetime, metaphorically are busy driving a 30 wheeler and have not enough hours in the year to be accessible to all their constituent as they do their party leaders bidding.
In short, if we don't start hanging together more, as the adage goes, we will all hang together, thanks to someone with but
CPU cycles, will cost the club triple (plus!)
However the solution is within reach when we altogether in any discrete voting district speak with a united voice, in the the accumulated unified voice of 1 Person = 1 Vote outweigh the few who operate on $1 = 1 Vote as in a few CPU cycles extort without limit...
_______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca
-- John Lange
On 2026-04-10 John Lange wrote:
My guess would be that zscaler is proxying DNS traffic for many of its customers causing the traffic to appear to originate from the same locations even though it may be many individual customers making the queries. They have many proxies spread around the world and customers can choose which exit points they want their traffic to proxied from.
But from what I've read about zscaler they intercept DNS traffic to their own servers which run security filters on it and thus should also be a caching recursive resolver? That would not behave like we're seeing, unless something was wrong. But if zscaler is just a a glorified for-pay tor, then that's another thing altogether. And if they allow bad actors as customers, well then they'll end up just as bad as tor? We're making inquiries... but so far no response. A long-distance call may end up being required; of course you'll only be able to reach some clueless sales person... If this is a bad actor using their servers as proxies just hitting our DNS a whackton, even if zscaler is aware it may be hard for them to track down and fix. Oh ya, in my last email I said "triple cost", but I forget to write: In Real Money.
On 2026-04-09 23:19, Trevor Cordes wrote:
Ideas before they get the banhammer?
Without knowing the back end... any opportunity to rate limit? How I've handed similar in the past was at the firewall level (excuse the openbsd PF parlance). # where egress is the 'upstream interface' group DNS_RESOLVERS="10.0.0.53 10.0.1.53" # ban abusers for an hour table <dns_abusers> persist timeout 3600 table <dns_bypass> persist file "/var/db/dns_bypass.txt" # Never block or rate limit some hosts. pass in quick on egress proto tcp from <dns_bypass> from any to $DNS_RESOLVERS port 53 pass in quick on egress proto udp from <dns_bypass> from any to $DNS_RESOLVERS port 53 block in drop quick on egress from <dns_abusers> # NOT RETURN, just ignore for duration #If an IP makes more than 100 connections via UDP in 10 seconds, it gets flagged pass in on egress proto udp to port 53 \ keep state (max-src-conn-rate 100/10, overload <dns_abusers> flush global) #If an IP makes more than 50 TCP connections in 10 seconds, it gets flagged pass in quick on egress proto tcp from any to $DNS_RESOLVERS port 53 \ flags S/SA synproxy state \ (max-src-conn 5, max-src-conn-rate 50/10, \ overload <dns_abusers> flush global) I'm sure there are similar cloudy ways to do similarly? Just a random idea. -- Sean
On 2026-04-10 Sean Cody wrote:
On 2026-04-09 23:19, Trevor Cordes wrote:
Ideas before they get the banhammer?
Without knowing the back end... any opportunity to rate limit?
Looks like we're extremely limited in blocking/ratelimiting options (as in "doesn't exist") with our DNS hoster. That pf autotimeout stuff is pretty cool; and handy. We can block them at the web server but that may or may not result in reduced DNS hits. And if zscaler has legit uses in Manitoba, banning wouldn't be the ideal route. (It sure would be nice to know if a *member* uses them.) I guess it may depend on whether they start responding in person to abuse reports/queries or not.
A quick scan of the top offending IPs from the DNS report in the muug.ca daemon logs reveals the thousands of DNS hits from one of the days resulted in *2* actual web hits. Zero MTA hits. Zero FTP hits. That's basically all we run. (Ok, ntp too, but that doesn't seem to log at the moment.) If this was organic the DNS lookups should result in some actual subsequent traffic, right? At least the tencent abuse botnets we've dealt with before were kind enough to actually abuse the webserver with hits too! (The hit count is higher than Brad's charted indicated because there is another chart for muug.mb.ca that has the same servers hitting us at double the rate! And we've deprecated mb.ca everywhere we could think of to boot, so it should get tiny traffic, not more!)
participants (6)
-
Adam Thompson -
Bradford Vokey -
Eduard Hiebert -
John Lange -
Sean Cody -
Trevor Cordes