browse
Overview
Currently, the Umbrella roaming client supports IPv4-only and dual stack network configurations for macOS by default (roaming client 2.1.x+) and for Windows (client version 2.2.x+) by toggling the IPv6 redirection toggle on the roaming clients page of the dashboard.
Support for IPv6-only networks for both the Mac and Windows operating systems is not available at this time.
IPv6 redirection support is available for the AnyConnect Roaming Security Module as of version 4.8.02042.
IPv4 Redirection
The IPv4 DNS redirection functionality of the roaming client remains unchanged. DNS will still be overwritten to 127.0.0.1, redirecting DNS into the roaming client's DNS encryption proxy.
Flow:
127.0.0.1:53 -> 208.67.222.222 / 208.67.220.220 ports UDP 443 Encrypted UDP 53 Unencrypted
IPv6 Redirection
New in version 2.2.x, the IPv6 component is a new addition to the roaming client. This change is present on the back end of the client as well as on the updated user interface tray.
What's new? Look for the IPv6 state. By default this will say "Not Enabled". If IPv6 redirection is turned on from the Dashboard, Umbrella's new IPv6 redirection will activate. When active, DNS for IPv6 will be overwritten with ::1.
IPv6 protection has its own independent state of Protected and encrypted, protected and unencrypted, unprotected and other states. This state is reflected on the updated GUI.
IPv6 redirection occurs independently of IPv4 coverage.
Flow:
::1:53 -> 2620:119:53::53 / 2620:119:35::3 ports UDP 443 Encrypted UDP 53 Unencrypted
Standard Operation
The roaming client will test the availability of the Umbrella resolvers on every network state change, and on a regular recurring interval (currently 10s). If DNS is available via the dns proxy, the client will enter the protected mode for the internet protocol version passing the test. With IPv6 enabled, expect regular DNS connectivity confirmation packets to occur once for each protocol every 10 seconds.
When both protocols are active, DNS will be seen as:
::1
127.0.0.1
Functionality Chart
Client/Feature: DNS Coverage |
IPv4 Internal to IPv4 External | IPv4 Internal to Dual Stack External | Dual Stack Internal to IPv4 External | Dual Stack Internal to Dual Stack External | Dual Stack Internal to IPv6 External | IPv6 Internal to Dual Stack External | IPv6 Internal to IPv6 External |
Filtering: Standalone Roaming Client (Win/macOS) | ✔ | ✔ | ✔ | ✔ | ✔ | ✘ | ✘ |
Filtering: AnyConnect Roaming Security Module 4.8 MR2+ | ✔ | ✔ | ✔ | ✔ | ✔ | ✘ | ✘ |
Notes: Internal DNS is never impacted by IPv6. Unsupported scenarios allow bypass of DNS and internal DNS. Scenarios are based on the presence of IPv4 and IPv6 DNS settings. Internal networks may have IPv6 addresses without IPv6 DNS servers, and would be considered IPv4 networks for the basis of this chart.
FAQ
-
Q. Does Umbrella support the blocking of AAAA requests (with IPv4)?
-
Yes, AAAA queries for blocked domains received over IPv4 will return the IPv4-mapped IPv6 address of a block page.
-
-
Q. Does Umbrella support an IPv6 block page, or more generally, blocking IPv6 requests?
-
It is true that block pages are not reachable over IPv6, however, there's a bit of a misnomer with "blocking IPv6 requests". Umbrella allows or blocks domains, which are neither IPv4 or IPv6 addresses. The Umbrella DNS service resolves domains to IPv4 or IPv6 addresses. When Umbrella blocks something, it returns an IPv4 address for A queries or an IPv4-mapped IPv6 address for AAAA queries. The IP address returned is the one for the Umbrella block page rather than the domain.In either case, the returned IP address is only accessible over IPv4, so the client must be at least IPv4 capable in order to subsequently connect to it.When a request is proxied through the Umbrella intelligent proxy things are much the same. AAAA requests for grey-listed domains—received over IPv4—will return the IPv4-mapped IPv6 address of a proxy. The client must be IPv4 capable in order to subsequently connect to the proxy.
-
-
Q. If an IPv6 AAAA request is allowed, does Umbrella log that?
-
-
Yes, Umbrella does log it provided the request came from a registered identity or identities. Networks that have IPv6 addresses must also be registered to be logged to reports. The same is true of roaming clients or other identity types.
-
-
Q. Wait, I can register an IPv6 network to Umbrella?
-
-
Yes! Be our guest and register away.
-
-
Q: Are there any expected scenarios where coverage does not apply as expected when on a dual stack network with IPv6 DNS servers?
- Yes. If the Umbrella IPv4 resolvers are not reachable, IPv4 bound DNS will be unprotected. If the Umbrella IPv6 resolvers are not reachable, IPv6 bound DNS will be unprotected. It is possible to have either or both redirections unprotected due to network limitations. See the next question for an example scenario.
-
Q: What if I have an accessible IPv6 DNS server, but the Umbrella IPv6 resolvers are not accessible? Will the client retain protection?
-
Windows: IPv6 protection will remain offline because Umbrella is not accessible on IPv6. DNS sent to the IPv6 local resolver will be resolved normally, outside of the client. Since our IPv4 public DNS resolvers were available - any DNS sent to the IPv4 DNS stack will be protected by Umbrella. Therefore, DNS sent over IPv6 will not be protected whereas DNS sent to IPv4 will be protected. One example seen in the field is a mobile hotspot with a IPv6 DNS server, but no IPv6 access to our resolvers.
-
-
Q: What if my network interface has some local only IPv6 DNS servers like "fec0:......."
-
Windows: As of version 2.2.109, this may cause some inconsistent behavior. This will be resolved in our next release and will not be processed by the roaming client.
-
-
Q: Does the client's IPv4 state interact with the IPv6 state at all?
-
Windows: No. They are completely independent states depending on network availability and the presence of a DNS server for each protocol.
-
-
Q: Will IPv6 DNS be redirected to IPv4 DNS servers if Umbrella is only accessible on IPv4, but the computer is on an IPv6 enabled network?
-
Windows: No. The client will only send DNS to IPv6 resolvers for IPv6 DNS redirection, if available. IPv6 bound DNS will not be sent to our IPv4 resolvers and may not receive policy.
-
-
Q: Does macOS differ from Windows?
-
Yes. macOS has a central storage location for both IPv6 and IPv4 DNS, and we will order our storage accordingly for local DNS. DNS will continue to flow through to 127.0.0.1 on macOS, unlike Windows.
-
-
Q: If on network behind a VA for IPv4 DNS, will the IPv6 component also disable behind the virtual appliance?
- Not at this time until the VA is IPv6 capable. The IPv6 redirection component of the roaming client will remain active, encrypted, and protected for IPv6 bound DNS requests.