The Virtual Appliance supports DNSCrypt between itself and OpenDNS' public DNS resolvers. This means any information contained in the DNS packets forwarded from the VA are encrypted by DNSCrypt and cannot be intercepted. This feature is enabled by default for best protection, but in some cases cannot be enabled because of firewalling between the VA and the public DNS resolvers.
Unencrypted traffic is considered a problem that should be resolved. When encryption cannot be established between your VA and OpenDNS, a warning about a state will occur in your dashboard for the Virtual Appliance. Although the warning is new as of the week of October 3rd, 2016, the problem is not new and this warning is to ensure you have the best possible protection. The dashboard overview will look like:
Clicking View Details shows a message indicating the DNS queries forwarded by this VA to OpenDNS are not encrypted:
DNSCrypt is only available in Virtual Appliances at 1.5.x or higher. If you only have a single VA, and that VA hasn't been upgraded, this message will also appear. For information on upgrading your VA, please read: https://docs.opendns.com/product/umbrella/upgrading-your-virtual-appliances/
If you are on 1.5.x or higher, read on.
To resolve, simply ensure that your firewall or IPS/IDS allows encryption for the VA. Encryption is established with a probe sent on port 53 (UDP/TCP) to 126.96.36.199, 188.8.131.52, 184.108.40.206 and 220.127.116.11 and if you have a firewall or IPS/IDS doing deep packet inspection and expecting to see only DNS traffic, the probe may fail. In other words, the encrypted packets may not match the expected traffic on that port. Encrypted traffic is also send back to the VA, so check inbound traffic to your network to ensure these rules are being met in both directions and on all devices .
Please review your firewall configuration if that is the case and open a case with Support if you believe that you are allowing this traffic.
The article outlines the behavior of the Cisco ASA firewall and error messages you could expect to see if deep packet inspection is enabled: