Users are unable to do a DNS PTR lookup when using Symantec Agents with Cloud SWG DNS proxy enabled.
Cloud SWG with DNS Proxy.
Symantec Agents : Enterprise Agent, WSS Agent, SEP Agent Tunnel Mode.
The default setting of DNS proxy doesn't automatically bypass private domains/IP because it lacks knowledge of these domains/IP.
Maintaining internal reverse DNS servers is not a common practice for many.
To exempt reverse DNS lookups effectively, it's essential to utilize the appropriate "in-addr.arpa" address. See Private network under additional information
For instance, exempting "28.172.in-addr.arpa" will directly route any reverse DNS request for addresses within the 172.28.x.x range, bypassing the DNS proxy altogether.
This approach ensures that internal reverse DNS queries are handled efficiently and without unnecessary proxying, optimizing network performance and reliability.
In the Cloud SWG Portal > Connectivity > DNS Exemptions > Add
You will need to add the require "in-addr.arpa" internal address.
0.10.in-addr.arpa
168.192.in-addr.arpa
16.172.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
Note: You will need to do this if you are maintaining internal reverse DNS servers. As a result, these domains are often treated as DNS zone files internally, resulting in exemptions for everything under them.