Currently, the standalone Umbrella roaming client does not support dual-stack (IPv4 + IPv6) DNS configurations while the Cisco AnyConnect Umbrella module does have limited support for dual-stack. However, both products do have limitations in regard to IPv6 that are outlined in this article.
Umbrella Roaming Client
Having IPv6 enabled on some or most of your network does not necessarily affect the Umbrella roaming client or any computers with the Umbrella roaming client installed. However, if your DHCP server hands out IPv6-based DNS servers/forwarders to clients with the Umbrella roaming client installed, then there are problems.
Roaming Client w/ AnyConnect
We do support a dual-stack IPv4 + IPv6 configuration, but there are limitations in regard to what happens with IPv6 DNS queries. For the Cisco Umbrella client, the loopback address (127.0.0.1) is not used in the DNS settings when the Umbrella client is active. Instead, a kernel driver installed with the AnyConnect client intercepts all DNS queries. As a result of this, Umbrella sees all of the DNS queries—both IPv4 and IPv6—but the Umbrella DNS resolvers will only log the IPv4 source address. IPv4 connectivity to Umbrella resolver addresses (220.127.116.11) must be available for this function.
Technical Detail: IPv6 and the Umbrella Roaming Client
Having both IPv4 and IPv6 DNS servers (typically delivered via DHCP) does not allow either the Umbrella roaming client or the Umbrella module to store and replace the IPv4 DNS servers at the appropriate times. If IPv6 DNS servers are in your DHCP or static IP configuration, the IPv6 addresses must be removed to ensure the Umbrella systems will work properly.
Umbrella does not currently support content filtering or security protection for IPv6 DNS names; only name resolution. For detailed information regarding Umbrella and IPv6 support, see: https://support.umbrella.com/hc/en-us/articles/230563727-Does-Umbrella-Provide-IPv6-DNS-Services-
Since the AnyConnect Umbrella module does have limited support for dual stack, there can be odd behavior seen when IPv6 is also in use. When dual stack is used, the AnyConnect Umbrella module may show as protected, because the module itself makes the checks and establishes communication over IPv4. However content filtering and security policies may not be applied, since the requests can be made via IPv6 which does not have filter capabilities at this point in time.
If you'd like to see support be added for IPv6, let us know about how you're implementing IPv6 and your specific use case. We'd love to get that feedback!
FAQ for IPv6 and Umbrella
Q. Does Umbrella support the blocking of AAAA requests (with IPv4)?
Yes, AAAA queries for blocked domains received over IPv4 will return the IPv4-mapped IPv6 address of a block page.
Q. Does Umbrella support an IPv6 block page, or more generally, blocking IPv6 requests?
It is true that block pages are not reachable over IPv6, however, there's a bit of a misnomer with "blocking IPv6 requests". Umbrella allows or blocks domains, which are neither IPv4 or IPv6 addresses. The Umbrella DNS service resolves domains to IPv4 or IPv6 addresses. When Umbrella blocks something, it returns an IPv4 address for A queries or an IPv4-mapped IPv6 address for AAAA queries. The IP address returned is the one for the Umbrella block page rather than the domain.
In either case, the returned IP address is only accessible over IPv4, so the client must be at least IPv4 capable in order to subsequently connect to it.
When a request is proxied through the Umbrella intelligent proxy things are much the same. AAAA requests for grey-listed domains—received over IPv4—will return the IPv4-mapped IPv6 address of a proxy. The client must be IPv4 capable in order to subsequently connect to the proxy.
Q. If an IPv6 AAAA request is allowed, does Umbrella log that?
Yes, Umbrella does log it provided the request came from a registered identity or identities. Networks that have IPv6 addresses are not officially supported as origins—meaning that they cannot be registered with Umbrella as networks. The same is true of roaming clients or other identity types. Thus, DNS queries received over IPv6 will not have policy or reporting applied to them since there is nothing to apply it to.
There is a difference between the transport over which the query was received and the query itself (which can come over either transport). We generally don’t support IPv6 as a transport. IPv6 related queries though (eg: AAAA records) are supported, but if blocked, will return the IPv4-mapped IPv6 address of the block page.