Cloud SWG admin using Agent Traffic Manager (ATM) component to role out WSS Agent groups of users.

Web, DNS Proxy and ZTNA policies created for the ATM referenced users/groups.

ZTNA DNS configuration configured to point to local DNS servers for domain.local.

DNS exception made for the local DNS server domain e.g. domain.local, and a traffic interception rule for a test user intercepting traffic to the DNS proxy service is enabled.

When a user tries to access a host in the domain.local DNS domain, resolution fails and no application data is rendered.

NSLOOKUP tool on a test host always shows the 'DNS request timed out' message.

RFC1918 IP address range explicitly added to the bypass IP address list.

Remove the RFC1918 IP address range (10.0.0.0/8 in our case) from the bypass IP address list.

This is not required as the WSS Agent bypasses RFC 1918 IP addresses transparently by default. Adding it explicitly to bypass list changes that logic.