WSS Agent enabled on MacOS and used to access ZTNA segment Applications.

WSS Agent tunnel up successfully after authenticating with SAML.

Using Safari to access the segment Application (points to an internal Web server) via DNS fails.

Using Chrome after that to access the same Application worked. Once done, the Safari access worked too until removed from the MacOS DNS cache.

Can always access the segment App via IP address.

Cloud SWG integration with ZTNA (SAC - Secure Access Cloud).

Using WSS Agent with Split DNS to send DNS requests for ZTNA segment Application into corporate RFC 1918 DNS server IP address.

WSS Agent 8.2.1 running on MacOS.

DNS handling when source port defined as a 0.

DNS handling when DNS AAAA response returned before A response.

Upgrade to WSS Agent 8.2.3 or greater.

PCAPs from Symdiag confirm DNS requests sent into ZTNA configured DNS server correctly.

When the DNS server is configured to send IPv6 and IPv4 responses, and the IPv6 response comes in before the IPv4 response, the agent does not snoop it correctly. The end result is that the WSS Agent do not send the connection request into WSS.