Windows Server can protect clients using a network identity by acting as a DNS forwarder. Domain Controllers or any other server with the DNS role may send DNS to Umbrella from a registered network.
In the DNS Manager (dnsmgmt.msc), right-click on the server's name in the tree and choose Properties.
Go to the Forwarders tab, hit the Edit... button, and enter the Umbrella DNS servers by their IP addresses.
Hit OK in the Edit Forwarders window and your entries will appear as below.
The "Use root hints if no forwarders are available" box should be unchecked.
Notes on Best Practice
"Use root hints if no forwarders are available" should be unchecked. Protection and logging from Umbrella will be unpredictably bypassed if this option is selected. For example, if a name fails DNSSEC validation or is being protected against an active DDoS attack, the Windows DNS server may think Umbrella is unresponsive and try to recurse for it directly using root hints.
Only use Umbrella as forwarders; do not configure any third-party resolvers. Umbrella can only log and protect the queries that it receives. If more redundancy is required, add all 4 Umbrella anycast IP addresses as shown in the example above.
If using Umbrella Sites and Virtual Appliances, you may point to a local Virtual Appliance as a forwarder instead of the Umbrella anycast addresses:
- Avoid request loops: If a Virtual Appliance has your server configured as one of its "local DNS servers", do not add that Virtual Appliance as a forwarder.
- A Virtual Appliance will only "see" the IP address of the DNS server, not the addresses of the clients served by it.
- If using Active Directory Integration with the Virtual Appliance, make sure the Windows DNS server IP is added as an exception. Go to the Umbrella Dashboard under Deployments > Sites and Active Directory > Service Account Exceptions and add the IP address of your DNS server. This will prevent misattribution of user identities to traffic from the server.
Do not add Umbrella servers to the Root Hints tab. The Umbrella DNS servers are recursive resolvers, and are not meant to act as roots for iterative lookups. The behavior will be undesirable, and bypasses Umbrella protection and logging.