Table of Contents
3.3. Internal DNS
Aruba Networks has the following three wireless LAN (WLAN) product lines / operating systems for different market segments and deployment scenarios.
- ArubaOS: for large organizations and high density deployments
- Aruba Instant / InstantOS: for small-to-medium sized businesses and distributed enterprises
- Aruba Instant On: for home and small office users
This article provides guidelines for Aruba WLAN administrators to adopt and deploy Umbrella DNS services.
2. Deployment Overview
Methods of deployment depend on your Aruba operating system and how you plan to use Umbrella.
Customers who run any of the three aforementioned Aruba OSes can start deploying Umbrella DNS by consulting the user guide at https://docs.umbrella.com/deployment-umbrella/. Video tutorials are available at https://learn.umbrella.com/page/deployment, as well.
Customers who run Aruba Instant have an additional option of using the Umbrella network device integration available in InstantOS. Please note, however, that customers who choose this option will not be able to see wireless clients' internal/private IP addresses on the WLAN in Umbrella reporting, such as the Activity Search report. DNS queries from clients will map to Instant AP clusters' network device identities in Umbrella, and information regarding the individual clients will not be available. From the perspective of Umbrella cloud, DNS queries will appear to come from the Instant AP clusters, rather than the Wi-Fi clients.
As such, customers who have a requirement to trace individual clients' DNS queries or to tailor DNS policies for individual clients on a WLAN should deploy Umbrella through standard methods described in the Umbrella DNS user guide (i.e. without using the network device integration through Aruba Instant), and consider including Umbrella virtual appliances or roaming clients in their deployment plans.
3. Aruba Instant Integration
Aruba Instant's Umbrella (OpenDNS) network device integration may be beneficial in environments where all Wi-Fi clients connected to an Instant AP cluster will be subject to a singular Umbrella DNS policy, and where there is no need to review individual clients' DNS queries in Umbrella reports. This section explains how to setup the integration.
The integration uses a legacy version of Umbrella's network devices API. The legacy version does not require customers to generate API tokens from their Umbrella dashboards, but the newer versions do.
While the author of this article is not aware of any immediate plan to retire the legacy API at the time of writing, there is no guarantee that the legacy API will be maintained indefinitely. For information on other deployment options, please see the "Deployment Overview" section.
The following requirements need to be met in order to use the integration.
- APs need to run InstantOS version 188.8.131.52 or newer (as of May 2022).
- The Umbrella dashboard account used for the integration needs to have Full Admin role.
- The account's email address cannot be associated with more than one Umbrella dashboard. If you are not sure whether the email address is only associated with a single dashboard, you can contact the Umbrella support team at email@example.com to verify.
- Single sign-on (SSO) and two-factor authentication (2FA) cannot be enabled for the account.
- If there is a network security appliance (e.g. firewall) between APs and Internet, the appliance needs to allow unfiltered and non-inspected connections to 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124/29 (.152 ~ .159).
At a high level, there are four configuration steps in enabling the integration.
- Set a name for AP cluster
- Enter account credentials
- Intercept DNS queries
- Apply DNS policy
1. Set a name for AP cluster
When an Instant cluster successfully registers itself to an Umbrella dashboard for the first time, a network device entry is added to Umbrella dashboard -> Deployments -> Network Devices. Device name of a new entry comes from the system name configured on a cluster's virtual controller.
To set the system name on an Instant virtual controller, navigate to Configuration -> System.
Note that the name value is copied only once during initial registration. If a system/device name is changed on either Instant or Umbrella side afterwards, you will need to manually update the name on the other side.
2. Enter account credentials
If the requirements listed in the "Prerequisites" section are met, you can add an Instant cluster to your Umbrella dashboard as a network device. To do so from a cluster's virtual controller, navigate to Configuration -> Services -> OpenDNS, enter login credentials of an Umbrella account, and click on "Save" button.
If the virtual controller (VC) successfully connects to Umbrella, you will see a "Connected" status when you navigate to Support and run the "VC OpenDNS Configuration and Status" (show opendns support) command. You will also see a device ID, which is generated by Umbrella when a new network device is created, and is saved into the Instant VC config. The latter part is important because each Instant cluster needs to have a unique Umbrella network device ID, so the device ID should not be copied from one cluster's config to another. A valid device ID typically has 16 digits.
If the command output shows a "Not connected" status, you can try to find out why by running "AP Tech Support Dump" (show tech-support) and "AP Tech Support Dump Supplemental" (show tech-support supplemental) commands, and searching for "opendns" in the logs. The command outputs can also be shared with Aruba TAC for troubleshooting purposes.
If everything is working correctly, you should see a new entry in Umbrella dashboard -> Deployments -> Network Devices, where you can search for an Instant AP cluster by its name, or you can delete an existing entry if you wish to generate a new device ID.
3. Intercept DNS queries
Upon confirming that a cluster has been successfully added to your Umbrella dashboard as a network device, you can set the cluster to begin intercepting DNS queries sent from wireless clients (that are connected to APs in the cluster). Once it's set, regardless of what DNS server IP addresses are configured on the NICs of wireless clients, the clients' DNS queries will be intercepted by the cluster and forwarded to Umbrella's anycast resolvers at 126.96.36.199 and 188.8.131.52.
To intercept DNS queries, navigate to a cluster's virtual controller -> Configuration -> Networks, and select a wireless network. Edit the network, click on the "Show advanced options" button, and scroll down to the "Miscellaneous" section. Enable the "Content filtering" option, and keep clicking "Next" until you can click on the "Finish" button to save the change.
After the option is turned on, you should start seeing DNS queries in Umbrella dashboard -> Reporting -> Activity Search. Identity of the queries will map to a network device name, which is typically the system name configured on an AP cluster's virtual controller. Note that it may take some time (e.g. 15 minutes) for queries to be processed and displayed in the dashboard GUI.
In Umbrella dashboard -> Deployments -> Network Devices, it may take up to 24 hours for a device to change to an active / online status. Status of a network device merely indicates whether DNS queries were intercepted by the device and forwarded to Umbrella in the 24 hours prior, and does NOT influence how a device communicates with Umbrella. An offline / inactive status may simply mean that no wireless client was connected to an AP cluster in the past 24 hours, and will NOT prevent the cluster from utilizing Umbrella services.
4. Apply DNS policy
In Umbrella, the "Default Policy" automatically includes all identities (e.g. network devices) added to a dashboard. It may not be necessary to create additional DNS policies if all AP clusters in your deployment will be subject to the same policy. If this is the case for you, skip to the next section.
On the other hand, if you wish to apply a custom policy to a specific network device, you will need to add a new policy in dashboard -> Policies -> All Policies (DNS Policies), and select the network device in the policy.
When there is more than one policy on the DNS Policies (All Policies) page, the policies will be evaluated from top-to-bottom on a first-match basis. For more information, please see https://docs.umbrella.com/deployment-umbrella/docs/policy-precedence and https://docs.umbrella.com/deployment-umbrella/docs/best-practices-for-defining-policies.
3.3. Internal DNS
In an environment where internal DNS servers exist, and you want to forward DNS queries for certain (internal) domains to the internal DNS servers, you can use the "Enterprise Domains" feature in Instant.
DNS queries will continue to be intercepted by AP cluster after the feature is enabled, except that queries for the specified domains will no longer be forwarded to Umbrella. Instead, they will be forwarded to the DNS server IP addresses originally configured on the wireless clients' NICs (e.g. via DHCP). The feature is similar to the "Internal Domains" functionality available in standard Umbrella deployment methods (e.g. with virtual appliances), where Aruba Instant integration is not used.
To configure the feature on an Instant virtual controller, navigate to Configuration -> Tunnelling -> Enterprise Domains. Add domains to, or remove domains from, the Enterprise Domain Names list, and click on "Save" button. There is an implicit wildcard for any domain added to the list, so example.org will imply *.example.org.
Whether you have deployed Umbrella on your WLAN using the standard methods referenced in the "Deployment Overview" section of this guide, or the integration described in the "Aruba Instant Integration" section, you can verify that wireless clients are using Umbrella DNS by browsing to https://welcome.umbrella.com/ from one of the clients. You should see a green check similar to the screenshot displayed near the bottom of https://docs.umbrella.com/deployment-umbrella/docs/point-your-dns-to-cisco.
Alternatively, you can verify this by running the "nslookup -type=txt debug.opendns.com." command in a wireless client's command prompt. You should see an output with a number of text lines, similar to the below screenshot copied from https://support.umbrella.com/hc/en-us/articles/234692027-Umbrella-Diagnostic-Tool. From the command output, you should see your Umbrella dashboard's org ID in the "orgid" or "organization id" line, and customers who use the Instant integration will see an extra "device" line that contains a device ID.
To review DNS queries in your Umbrella dashboard, navigate to Reporting -> Activity Search. Note that it may take some time (e.g. 15 minutes) for queries to display in the dashboard GUI. Instructions on how to use Activity Search are available at https://docs.umbrella.com/deployment-umbrella/docs/the-activity-search-report.