browse
Overview
In rare circumstances, it may be necessary - at least temporarily - to bypass Umbrella DNS services for a particular DNS zone. Follow the directions below to bypass Umbrella using Conditional Forwarding.
Why? When switching to any public DNS resolver (including Cisco Umbrella), some DNS records may not work as expected (or may provide a different response) due to problems outside of Cisco's control.
Some possible scenarios include:
- The authoritative DNS server blocks Cisco Umbrella's source IP addresses due to Geo-IP filtering or other reasons. In this case, Umbrella attempts to route the query through other Data Centers, but this may be unsuccessful depending on how widespread the problem is.
- The authoritative DNS server is rate-limiting Cisco Umbrella's source IP addresses.
- The DNS record fails DNSSEC Validation. Umbrella validates DNSSEC by default - unlike some other services.
- The DNS records are not compatible with a privacy feature called Query Name Minimization (RFC 7816) which Umbrella supports - unlike some other services.
- The DNS server provides geo-location specific answers but does not support EDNS Client Subnet (RFC 7871), which Umbrella supports to provide more accurate geolocation. In this case, geo-location still works, but may be less effective depending on whether you have an Umbrella Data Center in your country. The authoritative DNS server may provide different answers depending on Umbrella's IP address.
- In some cases ISPs provide a cached copy of popular content (including Google content) and use DNS to drive users to the cache server. In this case, performance of these services may be slightly improved when using the ISPs DNS service.
Conditional Forwarding Examples
In this example, problemzone.tld is bypassed from Umbrella using conditional forwarding. This zone can be sent to any public DNS resolver instead, such as your ISP or other DNS service.
Microsoft DNS Server
Right-Click on the Conditional Forwarders section and select "New Conditional Forwarder..." Enter problemzone.tld as the domain and then add one or more server IP addresses for the DNS service you wish to use.
Note: You must replace x.x.x.x in the example with a valid IP address.
BIND Server
Edit your bind configuration file (eg. named.conf or named.conf.local) and add a new zone for problemzone.tld using the "forward" type. Specify one or more forwarder IPs for the DNS service you wish to use.
Note: You must replace x.x.x.x in the example with a valid IP address.
zone "problemzone.tld" {
type forward;
forward only;
forwarders { x.x.x.x; };
};
After saving this change, you should check and reload your bind configuration.
For example:
named-checkconf
rndc reload
Umbrella Considerations
Umbrella Virtual Appliances & Roaming Clients
The domain must be bypassed from Umbrella on-premise software. This is usually a simple as adding the domain into the Internal Domains page on the Umbrella Dashboard (Deployments > Internal Domains). These clients will forward the zone to your normal DNS server, which will in turn use the conditional forwarding settings above.
Umbrella Network Device Integrations
If you have other network devices (such as Cisco ASA / ISR integration) that are integrated with Cisco Umbrella, consult their documentation to determine how to bypass the domain from Umbrella.