browse
When deploying the virtual appliance (VA) component of Cisco Umbrella, we recommend the following for DNS configuration on any internal DNS server.
- In DNS server's network adapter settings, use the loopback address (127.0.0.1) so that the server will use itself for DNS resolution. The second entry should be another internal DNS server.
- In DNS server's forwarder settings, use the Umbrella anycast addresses (208.67.220.220 and 208.67.222.222), and not the virtual appliance IP addresses. Forwarding DNS queries from DNS server to virtual appliances may cause DNS loops, and is not recommended nor supported per https://docs.umbrella.com/deployment-umbrella/docs/6-local-dns-forwarding.
- If you use a Windows DNS server, you may wish to consider to uncheck the "Use root hints" option as it may cause DNS traffic to be bypassed in some instances. For more information on this best practice, please reference our article that discusses root hints further. Note: Whether to use root hints as the last resort in forwarder configuration is up to customer's discretion. If you uncheck the "Use root hints" option, it's possible that there may be some situations where your DNS server will not be able to resolve external domains. You do not have to uncheck the option if you do not feel comfortable doing so.
- If the server also acts as a mail server, the best option is to point forwarder to your ISP's DNS servers or other recursive resolvers such as those provided by your ISP. We outline potential problems with using Umbrella on mail servers in the following articles: