Skip to main content

What are the Cisco Umbrella Block Page IP Addresses?

Apostolos Kouloukourgiotis
  • Updated
  • min read

Overview

 

When a page is blocked by the Cisco Umbrella service, our DNS resolvers display a block page instead of the page with the blocked content.  These block pages are served from Cisco Umbrella servers.  The Anycast IP address and associated block type for these servers are outlined in the table below.

Note:

We do not expect these IPs to change again in the near future, but if they did change, that update would be included in this article.

 
 
 
 
 
 

Solution

 
Requests using the “Block Page Bypass” feature could use any of the IP addresses listed on the following website:  https://www.opendns.com/data-center-locations/
 
 Name  Record Type  Address
Domain List Block Page  a  146.112.61.104
Domain List Block Page  aaaa  ::ffff:146.112.61.104
Command and Control Callback Block Page  a  146.112.61.105
Command and Control Callback Block Page  aaaa  ::ffff:146.112.61.105
Content Category or Application Block Page  a  146.112.61.106
Content Category or Application Block Page  aaaa  ::ffff:146.112.61.106
Malware Block Page  a  146.112.61.107
Malware Block Page  aaaa  ::ffff:146.112.61.107
Phishing Block Page  a  146.112.61.108
Phishing Block Page  aaaa  ::ffff:146.112.61.108
Security Integrations Block Page, Newly Seen Domains, DNS Tunneling VPN, Potentially Harmful, & Dynamic DNS  a  146.112.61.110
Security Integrations Block Page, Newly Seen Domains, DNS Tunneling VPN, Potentially Harmful, & Dynamic DNS  aaaa

 ::ffff:146.112.61.110

 

Related articles

Comments

6 comments

Date Votes
  • bbrandeb49

    Is this list up to date?  I keep getting another IP address (208.69.36.159) that is registered to OpenDNS.

    2
  • matt.griffiths

    Same here. Any updates on this?

    0
  • rotblitz

    Why do you think you get different addresses returned.  Is there any evidence for this?  I.e. how did you find out?

    0
  • bbrandeb49

    They basically told me that the list was fluid and they don't publish it for that reason.  

     

    0
  • matt.griffiths

    I can see the logs from my firewall, of users visiting the block page on 208.69.36.159, as well as some of the IPs above in the 146 range.

    0
  • rotblitz

    Well, the IP addresses on the list above are the first ones Cisco/OpenDNS returns if a blocked domain is being queried like:

    nslookup www.internetbadguys.com.

    But the browser continues to attempt accessing the hostname, using the returned 146.112.61.* IP address and is redirected with HTTP 301/302 several times until the final block page or block page bypass is being reached, using several different hostnames and IP addresses.  This is what you see if you check your firewall only instead of tracing what happens with the real DNS and HTTP/HTTPS traffic.  You would be able to analyze it with e.g.:

    wget -O - -S www.internetbadguys.com

    Possible final DNS query results are for example:

    nslookup block.opendns.com.
    Server:  local
    Address:  10.165.161.13

    Non-authoritative answer:
    Name:    block.proxy.umbrella.opendns.com
    Addresses:  208.69.36.152
              208.69.36.157
    Aliases:  block.opendns.com

    Hey, here you got such 208.69.36.15* addresses!

    Any more questions, or does this make sense now?

    0

Article is closed for comments.