Overview

Keep your DNS queries private by using DNS over HTTPS (DoH) in supporting web browsers. Your browser's DNS traffic becomes encrypted to remain private and unmodified by network operators and snoops. Umbrella now has the following DoH endpoint available:

Steps for using DoH with Umbrella will depend on your browser and operating system.

Mozilla Firefox

Details and instructions are available from Mozilla. Firefox can be configured to use Umbrella as a custom DNS over HTTPS provider. Go to Options > General > Network Settings and select Enable DNS over HTTPS. Under Use Provider, choose Custom and enter the following URI template:

https://doh.umbrella.com/dns-query

Choose OK and your queries will be encrypted!

Google Chrome

Details and instructions on configuration are available from the Chromium Blog. Chrome will automatically enable the use of DoH if Secure DNS is enabled and it sees Umbrella anycast IP addresses used by the operating system for DNS.

Configure your OS to use the following IP addresses as DNS servers:

In Chrome's settings, go to Privacy and security, then Security (Or enter chrome://settings/security into the address bar). Enable Use secure DNS.

Your DNS queries will now be encrypted! You may visit the Umbrella DoH test page to check at https://umbrella.cisco.com/doh-help.

Note that Chrome looks for the Umbrella IP addresses specifically when deciding whether to upgrade to DoH. This means if you're configured to use to IP address of a local DNS server or forwarder, Chrome will not upgrade to using DoH, even if that server forwards to Umbrella.

If your computer is considered managed by Chrome, which is likely if your computer is provided to you by your work or school, it will not auto-upgrade to using DoH, and this setting may not be visible or configurable.

Instead of auto-upgrading based on IP, you may configure Umbrella directly by setting a custom provider. Under Use secure DNS, select With and choose Custom from the drop-down. Where it asks to enter custom provider, add the Umbrella URI template in the following format:

https://doh.umbrella.com/dns-query

Caveats

There are some situations you may encounter that causes a conflict between DoH and Umbrella SWG (notably the AnyConnect module):

1) The External Domains feature in AnyConnect, which allows domains and IP addresses to bypass Umbrella SWG, going direct to the internet instead, cannot be configured by domain name (FQDN) when using DoH. This is because AnyConnect relies on the operating system's DNS cache to link domain names to IP addresses when detecting which requests should go to SWG and which should bypass it. When DOH is utilized (especially by a browser), the operating system's DNS stub resolver is bypassed and consequently no DNS cache entry is created. This leaves AnyConnect unable to correlate a domain name or FQDN to bypass, with the packet it is seeing. 

Workarounds: (1) Disable DOH on workstations using AnyConnect for Umbrella SWG, and/or (2) Configure External Domains (SWG exceptions) by IP address instead of domain or FQDN.

2) If DoH is used for resolution of internal resources (e.g. example.local or example.corp) by an internal DNS server, AnyConnect Umbrella SWG must be configured to not intercept those DOH requests. This is because DoH looks like any other HTTPS request, and the SWG module will intercept it and redirect it to Umbrella. If the DoH server is not accessible from Umbrella's cloud, the query will never reach the destined internal DNS server.