In a typical network level Umbrella deployment, pointing DNS to Umbrella alone may not be sufficient to enforce Umbrella protections. Savvy users may attempt to bypass Umbrella by changing the DNS settings on their machines (if allowed by computer policy). This article discusses ways to lock down your network to prevent any other DNS service from being used to bypass Umbrella settings and protection.
- Network firewall
Access Privileges needed:
- Firewall access
- Firewall knowledge.
- Enforcing DNS to Umbrella
- Enforcing against DNS over HTTPS
- Enforcing against DNS over TLS
Enforcement of Umbrella DNS—Most Common
- ALLOW TCP/UDP IN/OUT to 126.96.36.199 or 188.8.131.52 on Port 53
- BLOCK TCP/UDP IN/OUT all IP addresses on Port 53
Enforcement against DNS over HTTP/S (DoH)
- In Umbrella, enable the “Proxy / Anonymizer" and "DoH / DoT” content category
- Block the IPs of known DoH providers on your firewall
Details and Background
In addition to blocking all alternate DNS providers, DNS may still be bypassed over HTTP with DoH. This is a local DNS resolver running that receives DNS, translates it into a HTTPS request, and sends the request out over HTTPS to an endpoint either with JSON or POST/GET. This type of traffic is typically not seen by DNS inspection on network.
Because DoH can be used to bypass Umbrella, Umbrella includes known DoH servers in the “Proxy / Anonymizer” content category. This mechanism is effective, but has limitations:
- It cannot block brand new DoH providers that are unknown to us
- It cannot block DoH which is used via IP address
For the first issue, we do our best to watch new DoH providers, and customers can further improve coverage by also blocking Newly Seen Domains.
For the latter limitation, there are limited scenarios where DoH is accessed directly by IP address. Firefox with CloudFlare is the most well-known example.
Note: Do not add the Mozilla Kill Switch domains to the block list. This is because if the domains are blocked, we return an A-record for our block pages. Firefox will consider this a valid response and will therefore auto-upgrade its DoH.
Enforcement against DNS over TLS (DoT)
- Block 184.108.40.206 and 220.127.116.11: port 853 (CloudFlare)
Firewall Support Disclaimer