In a typical network level Umbrella deployment, pointing DNS to Umbrella alone may not be sufficient to enforce Umbrella protections. Savvy users may attempt to bypass Umbrella by changing the DNS settings on their machines (if allowed by computer policy). This article discusses ways to lock down your network to prevent any other DNS service from being used to bypass Umbrella settings and protection.
- Network firewall
Access Privileges needed:
- Firewall access
- Firewall knowledge.
- Enforcing DNS to Umbrella
- Enforcing against DNS over HTTPS
- Enforcing against DNS over TLS
Enforcement of Umbrella DNS (Most Common)
Most routers and firewalls will allow you to force all DNS traffic over port 53 on the router, thus requiring everyone on the network to use the DNS settings defined on the router (in this case, Umbrella's DNS servers). The preferred recommendation is to forward all DNS requests to of non-Umbrella IPs to go to the IP's listed below instead. This way, you simply forward DNS requests without them knowing, instead of having the possibility of someone manually configuring DNS and having it just not work.
Alternately, create a firewall rule to only allow DNS (TCP/UDP) to Umbrella's servers and restrict all other DNS traffic to any other IPs.
Essentially, add the following filter or rule to the firewall that is at the edge of the network:
- ALLOW TCP/UDP IN/OUT to 220.127.116.11 or 18.104.22.168 on Port 53
- BLOCK TCP/UDP IN/OUT all IP addresses on Port 53
The first rule trumps the second rule, so anything requests to Umbrella are allowed but any DNS requests to any other IP are blocked.
Depending on your firewall configuration interface, you may need to configure a separate rule for each of these protocols or one rule which covers them both. The rule can be applied on either the firewall or the router, but normally is best placed on the device most at network edge. A similar rule could be applied to software firewalls installed on a workstation as well, such as the built-in firewall on Windows or Mac OS/X.
Using the roaming client and Active Directory Group Policy? To read how to lock down the Enterprise Roaming Client using Group Policy, click here.
Enforcement against DNS over HTTP/S (DoH)
In addition to blocking all alternate DNS providers, DNS may still be bypassed over HTTP with DoH. This is a local DNS resolver running which receives DNS, translates it into a HTTPS request, and sends the request out over HTTPS to an endpoint either with JSON or POST/GET. This type of traffic would typically not be seen by DNS inspection on network. The below examples are not the only DoH supported provider; however, they are used as examples.
Enforcement against DNS over TLS (DoT)
In addition to blocking all alternate DNS providers and DoH, DNS may still be bypassed over TLS. This uses the RFC7858 standard over port 853. One example of a DoT provider is CloudFlare.
Firewall support disclaimer
This article is targeted at assisting network administrators in enforcing Umbrella DNS. Unfortunately, individual configurations are not something Cisco Umbrella Support is able to assist in supporting, as each firewall or router has a unique configuration interface and these vary greatly. If you are uncertain, you should check your router or firewall documentation or contact the manufacturer to see if this is possible with your device.