Route Internal DNS Queries
To ensure correct DNS responses to local hosts inside your internal network, you will want to add local DNS domains in your Umbrella dashboard. Once added, these domains will automatically sync to both VAs (or more than two, if you have 2 VAs per physical site.) You only need to do this step once in the dashboard and the change should sync to both your primary and secondary virtual appliance.
It's important to note that certain zones and domain prefixes have already been added, both for the Virtual Appliance and the Umbrella roaming client. The following have already been added for you:
The RFC-1918 reverse DNS zones that are already added are: 10.in-addr.arpa, 16.172.in-addr.arpa through to 31.172.in-addr.arpa inclusive and 168.192.in-addr.arpa, which will cover all internal IP address ranges. However, if your internal domain name doesn't end in *.local, you should add it here.
To add internal DNS zones and domains:
- Open your Umbrella dashboard and navigate to Deployments > Configuration > Domain Management.
- Enter any internal DNS zone or domains:
You have a choice whether to apply this internal domain to "All Sites", "All Devices", or both. An example of where you may wish to specify only "All Sites" is with a mail server. If Roaming Devices off the network are expected to resolve "Mail.YourCompany.Com" to an external IP, but then when they are on the network, to resolve it to an internal IP, it's best to ensure that "Mail.YourCompany.com" is applied to "All Sites" only.
If you're not sure what your domains for forward zone lookups or reverse lookups are, you can find out by going to the Domain Controller(s) that is the primary internal DNS resolver for your network.
Log in using a privileged account and open Control Panel > Administrative Tools > DNS Manager or go to Start > Run > and type "dnsmgmt.msc"
Expand the Server name to show the Forward and Reverse Zones for your Domain, then drill through to see the in-addr.arpa domain address for your network. In this example, the network "10.122.6.44" would be covered by the 10.in-addr.arpa and the domain "butter.local" would be covered by the *.local domain, so there's actually no need for these to be added.
Once you've confirmed things are working as expected, you can begin to send your DNS traffic from your clients toward the VA.
- Start with a single workstation to test to ensure internal resolution is working
- Expand the testing to a subset of users, such as local I.T.
- Deploy the change to all of the workstations at the site / subnet associated with the VA.
To add A & PTR records for your VAs (to give them a name on network—not
- On your local DNS server, click Start > Run and type dnsmgmt.msc.
- Navigate to your forward lookup zones for your local domain (e.g. corp.domain.com).
- Select the local zone (e.g. corp.domain.com).
- On the right-hand side, right-click, select New Host.
- Enter a hostname for the VA, an IP and make sure the box ‘Create associated pointer (PTR) record’ is checked.
- Click Add Host.
To verify if the records were created correctly, you can test with nslookup
- Enter: nslookup (IP ADDRESS of the VA). For example:
- nslookup 192.168.1.2
1.168.192.in-addr.arpaname = va01.corp.domain.com.
- nslookup 192.168.1.2
- Enter: nslookup (HOSTNAME of the VA). For example:
- nslookup va01.corp.domain.com
Additional points of consideration
Existing internal DNS Servers/forwarders on the network should have their forwarders enabled and be pointing to the Umbrella AnyCast IP's (126.96.36.199/188.8.131.52).