Update: All Umbrella roaming clients have been transitioned over to the new sync destination sync.hydra.opendns.com via a HTTP redirect from the api.opendns.com endpoint. In the new year, clients will transition to sync with sync.hydra.opendns.com directly; however, since all clients already sync to this host, no impact is expected as a result.
As part of an upgrade to the underlying sync capabilities for roaming clients, a new domain for the Umbrella roaming client syncing to Umbrella has been created. This change will enable faster sync responses and more up to date roaming client statuses in the dashboard. Action is required to ensure this domain is permitted in your firewall.
The change is:
allow TCP 443 to sync.hydra.opendns.com (bidirectionally)
sync.hydra.opendns.com can resolve to several IP addresses, all within the 188.8.131.52/24 IP range. We recommend adding this entire range as the IP address(es) for sync.hydra.opendns.com are Anycast and may change. Currently, the 4 IP addresses this domain resolves to are:
184.108.40.206 to 220.127.116.11 and 18.104.22.168 to 22.214.171.124
Failure to make this change will result in the roaming client being unable to sync and possibly lose the list of internal domains that it obtains from the dashboard.
If you utilize an HTTP proxy that is configured at the user-level (normally using GPO), you will need to make sure the "SYSTEM" user is also configured to use the proxy. All of the following rules are required in your firewall to have the roaming client successfully sync with the API:
ocsp.digicert.com and crl4.digicert.com
126.96.36.199, 188.8.131.52, sync.hydra.opendns.com, ocsp.digicert.com and crl4.digicert.com