Most websites belong to a domain that resolves to a single IP address, but it is not easy or often possible to "bypass" Cisco Umbrella's content filters by simply entering the IP address of a website into a browser address bar. In addition, most malware uses domain names for their command and control (C&C) instead of IP addresses. For those that do not, we have IP Layer Enforcement included as a feature.
What to do
For security, blocking by hostname instead of IP is actually better for the following reasons:
- Better security—insecure domains hop from IP to IP in order to evade being stopped by various proxy/malware blocking solutions, or by the ISP. It's very hard (and not the right way) to keep up with these changes at the IP level rather than the domain level
- Reduced false positives/negatives—one IP is sometimes shared by thousands of domains, one a few of which are malicious. Blocking all of them is not a good idea nor is not blocking any of them.
- Better visibility—blocking IPs prevents logging and analytics of which domain the user/machine tried to access, which is the information the security/compliance teams should care about
For content blocking it is true that accessing a website or host by IP address will not require a DNS lookup, so technically that will not be sent to Umbrella's servers for evaluation.
However most websites today have load balancing and high availability solutions as well as geolocation (where multiple IP's and locations are used for better performance to the end user). They have multiple subdomains for features such as authentication, the website comprises of multiple IPs from different servers and in some cases, entering the IP will simply direct you to FQDN for the site. Nearly all web servers silently instruct Web browsers to download its content from one or more different domains. After the initial connection is established, several additional DNS requests are sent via the user’s browser on the server’s behalf, which are enforced as normal.
As a result, in the vast majority of cases, simply typing an IP address in a browser will not work because the setup on the web server side will usually end up converting that to a domain and at that moment we will receive a DNS query that can be acted upon. Alternately, you may receive a partial or broken homepage after which none of the links, including login, will work without a proper DNS resolution in place.
At that point, Umbrella is able to intercept the request for resolution and perform an evaluation for security or content.
If you're unsure about the status of a particular site, do an nslookup on the domain, enter the IP address directly into the browser address bar and see how it behaves. We encourage you to try this for yourself and see how it behaves.