@pw23 

I am using the corp VPN which has worked (mostly) for two years on this network setup but now steadfastly cannot reach the DNS to let me access the sites I need.

Is your VPN connection up ?

I would assume that with a corp VPN connection, its setup as a full tunnel, so all traffic goes down the VPN. If so I don't see how any DNS problem can be an ISP issue. If the tunnel is up then all DNS requests will be going down the tunnel...

So when I am connected to the VPN, it wants to resolve certain addresses using certain private DNS, but it can never reach them.

They said that my ISP was "blocking" these IPs

This may all be [-Censored-] but at present there are only 3 very specific web addresses that it wants me to use these DNS for, but they're unreachable.

Apparently everyone uses these same DNS IPs and I am the only one with this specific issue.

I have connected my work laptop through the hotspot on my phone and it works fine, so the issue is on the fixed line somehow.

So when I am connected to the VPN, it wants to resolve certain addresses using certain private DNS, but it can never reach them.

They said that my ISP was "blocking" these IPs

We've seen issues in the past where the VPN fails to connect due to (I think) a clash with the private address ranges used on the BTw/Plusnet network. However, that doesnt seem to be the situation in your case as the VPN connects ok.

As I said earlier, I would have expected the VPN to be a full tunnel i.e once connected ALL traffic goes down the VPN in which case there shouldn't be any possible block of anything.

I have connected my work laptop through the hotspot on my phone and it works fine, so the issue is on the fixed line somehow.

That would tend to imply its a problem on the BTw/Plusnet network.

A couple of questions :-

Do you have a static IP ?

and do you know what VPN software is used ?

I'll try tagging one of the PN experts 

@bobpullen do you have any thoughts ?

I don't believe I have a static IP

The VPN is Zscaler

The IPs it wants to use are 100.64.0.x

I can access the sites on my other PC, but that's not using the VPN, so I presume it's via public DNS.

in fact, one of the sites that doesn't resolve is a customer-facing site!

Thanks so much for your help. This problem started on Monday morning, it's been a week trying to even understand what's happening.

Did a Google search for DNS issues with this VP and found this...

Zscaler DNS issues with a VPN can arise from conflicting DNS settings, especially with split-tunnel VPNs or third-party VPN firewalls interfering with Zscaler's processes. To resolve this, ensure your VPN is not in split-tunnel mode if you want Zscaler to handle all DNS, disable VPN firewalls or add Zscaler to their allowlist, and check that Zscaler's DNS settings are correctly configuring for both internal and external domains. For specific issues, update Zscaler Client Connector, check its configuration for conflicts with components like the F5 DNS Relay Proxy Service, and consult Zscaler's knowledge base for known issues or best practices with your operating system. 

So reflecting on @MisterW 's observation, is this running a full or a split tunnel?

Is the VPN software up to date ... equally relevant, has it just been updated.

I am surprised at the inference that BT's network has any bearing on this.  The whole point of a VPN is that it is a shielded private pipe between client and server, incapable of being packet inspected by the carrier.  The postulation that a VPN pipe works over one carrier but not another is very much at odds with my understanding of how this stuff is supposed to function.

Assumption - you are working from a remote location (assumption based on you using a VPN).

Is the end device you are using provided by your employer (and thus - hopefully - locked down to their configurations and therefore you have no administrative control over it)?

Or

Is the end device your are using your own (and thus have local administrative control over it)?

Two entirely different scenarios. Lots of different answers IMO.

Thanks for the response

It wouldn't surprise me if others had problems with Zscaler, it's not well liked within the company and their support is terrible, to say the least.

I understand your confusion given the alleged explanation, but it was the opinion of Zscaler support upon learning that everything worked fine when using my mobile hotspot. Which works perfectly. As soon as I change to mobile internet, Zscaler auths fine (fast even!) and I can reach these otherwise forbidden URLs.

I have a strange feeling that my profile or whatever with Zscaler is incorrect. I mean, its their DNS that I can't find. Perhaps my IP has been put on a blocklist or removed from a whitelist for some reason.

Another strange things that the VPN software has reported is - No Network Interface can be detected - When the VPN connection fails, I get this error. I presume it means some sort of virtual adapter or driver because the hardware seems to function fine.

I am using a company-supplied laptop and software, which is fairly well locked down, but I do retain some admin privileges. I can't sudo, but I can get an elevated prompt for some things.

I am at home so I adminster my home network, however I can't find anything at all that would block these network requests. The trace hops to my router straight away and out, before getting lost about hop 15.

As for the question about split tunnelling, it's possible, but I don't think it's likely. The laptops are basically cut off if the VPN isn't working, there doesn't seem to be a fall back to un-VPN internet connectivity. It appears there's different routing within the VPN for different services as I can lose Teams and Slack, but still access Google in the browser

---

@pw23 wrote:

I have a strange feeling that my profile or whatever with Zscaler is incorrect. I mean, its their DNS that I can't find. Perhaps my IP has been put on a blocklist or removed from a whitelist for some reason.

I like your thinking!!

There is some possibility that the IP address range that you are on is being geolocation assessed incorrectly by Zscaler's VPN / DNS service.  I somewhat recall seeing something similar before - @bobpullen might recall the who (VPN product) etc.  Back in the day, this could be mitigated by assigning a static IP address on the user's account ... but that option is available no longer.

What is the A.B.0.0 of your external IP address?

Double check its geolocation data - there have been cases of individual data providers having this entirely wrong, especially where ARIN is the primary range holder.

You could try powering the router off over night, see if you get a different IP address in a completely different range and try again.  Note that dynamic IP addresses are very sticky over short duration disconnections.

There have indeed been incidents in the past with VPN issues. The last time I saw one here it was some sort of session not closing correctly and their credentials were locked to that previous IP address. So as a result when the worker got a different IP they couldn't connect to the work VPN.

The fix for that problem was only fixed by getting the work systems admin to remove the old dead session. Unfortunately it took awhile to convince the admin that was the issue.

My external IP is 165.225.x.x using VPN on my work laptop, but 146.70.x.x on my PC.

The geolocation and owner data looks correct, puts me in London which is fine for my corp.

I will try turning my router off tonight and see if I get a new IP.

Out of interest, what DNS server address is assigned to your VPN connection? Is it also in the 165.225.x.x range? Or something else? (Possibly an IP address of a DNS server within your employers network?)

(The data should be available via a IPCONFIG/ALL command on a cmd window)

(I'm scraping brain cell configurations going back 10-20 years and trying to disentangle actual data from all the other stuff stored in the human mind.)

Yep, the DNS that can't be reached is an internal one. It doesn't respond to ping, but that doesn't tell us much. I can ping the site I want IP and it responds. If I try to access through the browser, the DNS is unreachable.

@grumble  Don’t forget the OP can connect from his laptop to the works system using a hotspot on a mobile.

Problem seems to be an issue using the Plusnet network.