browse
Overview
This article explains the DNS Request Types that can be collected and listed in a report. Each record type has its own purpose in the DNS infrastructure. When thinking DNS, the first record type that comes to mind is the A Record which is the IPv4 IP address belonging to the hostname of the domain.
Note:
This list is by no means exhaustive. A more complete list, including the relevant RFC for each record type can be found here: https://en.wikipedia.org/wiki/List_of_DNS_record_types
With regards to blocked security domains , please note that Cisco Umbrella blocks A, AAAA, ANY, CNAME, PTR, SRV, PRIVATE, SPF/DNS, NULL, SIG, HTTPS (Type65), and TXT records, so queries for other record types (MX, SOA, and NS) will be allowed, even though the category is blocked. However, requests for MX records of domains that have been categorized as "DNS Tunneling VPN" will be refused.
A Note on "Allowed" Security Categories in Umbrella Reports:
Cisco Umbrella is committed to DNS security. DNS record types observed to be capable of facilitating malicious connections (e.g. A/AAAA) or tunneling traffic (TXT, SRF, etc) or allowing bypass of standard DNS (Type65, etc) are enforced. Some record types that are reference records like MX, SOA, NS are permitted even if tagged in a security category. If you believe a record type that is not blocked should be blocked, contact us at umbrella-support@cisco.com to request. We monitor for new threat types to ensure that all records capable of delivering a malicious connection are enforced - without blocking request types that may hinder informational requests on the domain's ownership or mail servers.
To validate if an "Allowed" Malware request is due to an alternate record type request, open your Activity search and add the DNS record type column. This is surfaced transparently to reporting - and does not indicate a failure to protect or a coverage gap.
For content filtering categories, types other than AAAA, A records will not be blocked. Destination lists will also not block all record types, NS for example is not blocked.
To view the record type of a request in the Activity Search, toggle the "DNS Types" column.
If a domain is "blocked", queries for address record types A and AAAA will return IP addresses that belong to Umbrella block pages. Queries for DNS record types ANY, CNAME, PTR, SRV, SIG, or TXT will return "REFUSED". (Note: when querying for domains classified as Dynamic DNS, address record types A and AAAA will be blocked, but queries for other DNS record types will not return "REFUSED".) The full list of types we return "REFUSED" on are: 3-5,7-10, 12, 16, 30, 33, 38, 64, 65, 99, 245, 253, 255, 65280-65534.
Exceptions:
- DNS Tunneling domains will "block" all record types.
- Dynamic DNS category we only block A/AAAA records
DNS Lookup Types & Functions
DNS Lookup Type |
Description |
Function |
A | IPv4 address record |
Returns a 32-bit IP address, which typically maps a domain’s hostname to an IP address, but also used for DNSBLs and storing subnet masks |
AAAA | IPv6 address record |
Returns a 128-bit IP address that maps a domain’s hostname to an IP address |
ANY | All cached records |
If the domain is not blocked, Umbrella will return NOTIMP to requests for this type. |
CNAME | Canonical name record |
Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name |
MX | Mail exchange record |
Maps a domain name to a list of message transfer agents for that domain |
NS | Name server record |
Delegates a DNS zone to use the specified authoritative name servers |
PTR | Pointer record |
Pointer to a canonical name that returns the name only and is used for implementing reverse DNS lookups |
SIG | Signature |
Signature record |
SOA | Start of authority record |
Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone |
SRV | Service locator |
Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX |
TXT | Text record |
Carries extra data, sometimes human-readable, most of the time machine-readable such as opportunistic encryption, DomainKeys, DNS-SD, etc. |