Some customers may find that Umbrella isn't working as expected even though they are pointing their DNS to our Resolvers.
Many ISPs (Internet Service Providers) can use a type of DNS hijacking to take control over a user's DNS requests. The reasons for this can vary, but it's often for collecting statistics and to return ads when users access an unknown domain and sometimes for content filtering reasons. Some governments use DNS hijacking for censorship, redirecting users to government-authorized sites.
Depending on your ISP or your router/modem configuration, you may find that your DNS requests are not reaching the Umbrella due to this DNS hijacking. This article will help you check to see if you are affected by this and what to do next to resolve this.
How to check if your DNS requests are reaching Umbrella
- First, check to see that your endpoint device is configured to point to the Umbrella Resolvers (220.127.116.11 & 18.104.22.168)
- If you are pointing your DNS to your DCs, please ensure that the forwarder settings of your DCs are configured to point to Umbrella
- To test your computer to see if it's using OpenDNS, navigate to: http://welcome.opendns.com - If you do not see a successful message, it's possible that your ISP could be intercepting your DNS traffic.
- Use the following Tool and run the 'Extended Test' to check which DNS revolvers you are using: https://dnsleaktest.com:
- This is an example of a 'good', working scenario where DNS is reaching Umbrella (OpenDNS):
- This following is an example of a 'bad', not working scenario where DNS is being Hijacked/Intercepted by the ISP:
If you find that your ISP is hijacking your DNS queries, please reach out to the ISPs technical support team who will be able to assist you further with disabling any DNS redirection on your router/modem. As the DNS redirection is happening before the request reaches Umbrella, this falls outside of our support scope.
Please also note that Comcast offers a product/service called ‘Comcast Business SecurityEdge’. This is the service/product that offers the DNS filtering that overrides anything set at the client level. If organization is behind the Comcast Business Gateway modem, all DNS will go through NetActuate DNS servers. If you are using Comcast but aren't sure if you are using their 'Security Edge' feature, please reach out check this with Comcast support.
After you have resolved this with your ISP, you can visit http://www.opendns.com/welcome/ again to test whether or not you are using Umbrella. If you are still facing issues after speaking with your ISP, please reach out to our support team who will be able to assist further.