In cases where an organization requires a DNS server query to respond with a specific IP address it's prudent to force the ProxySG return the desired IP address for all internal users. The ProxySG itself can act as an primary or secondary DNS server for users in networks secured by a ProxySG appliance, however, this requires special configuration.
Once the ProxySG contacts an internal or external DNS server to get IP resolution on a URL and it receives the answer from the DNS server in the form of an IP address, it cannot further manipulate or change it. The only other way for the ProxySG to influence the IP address that get mapped to a certain URL is for it to act as a DNS server for the client. By doing so, the ProxySG will perform the initial IP address resolution itself. If it cannot, then it can still refer to the configured DNS server(s) to do the resolution.
1. Set the DNS service under Proxy Services to Intercept
On Management Console, Go to Configuration -> Services -> Proxy Services -> Under Standard Service Group, highlight DNS service and choose intercept for the Action.
2. Open VPM and add a DNS Access Layer. Configure Source or Destination Objects and then Action according to what is desired. For example, if it is required to resolve cnn.com to 220.127.116.11 (just an example) for any client, then leave Source Object set to Any, Set Destination Object to DNS Response CNAME
and set the Action to Send DNS Response
The VPM afterwards will look like this:
3. Configure the client to have its only or primary DNS server to be the ProxySG itself by configuring the Proxy IP as the DNS server.
The next time a request comes in to the ProxySG with cnn.com as its domain, it will be mapped to 18.104.22.168. For any other requests for other domains not covered by the DNS Access Layer, the ProxySG will contact the DNS servers it is configured with for IP address resolution as normal. These DNS servers are configured under Configuration -> Network -> DNS as normal: