DNS Security Function on Cisco Umbrella

If a device is sending a DNS query, and it's Umbrella Connector intercepts and inspects the query. Domain queries that are local to the device will be transmitted through the corporate DNS server, while external queries are routed via Cisco Umbrella Resolver. Cisco Umbrella Resolver.

When a host starts transmitting traffic and sends a DNS query, the device's Umbrella Connector intercepts and inspects the DNS query. If the DNS query is for a local domain, it transmits the inquiry to the enterprise network's DNS server without modifying the DNS packet. If the query is for an external domain, it adds an Extended DNS (EDNS) record to it and sends it to the Cisco Umbrella Resolver. An EDNS record contains information about the device's identity, the organization ID, and the endpoint's IP address. Cisco Umbrella Cloud implements different restrictions on the DNS query based on this information.

Cisco Umbrella adds an EDNS record to external DNS queries, which include device identity, ID of the organization, and the endpoint's IP address. This assists Umbrella in implementing the appropriate security policy. If the DNS query is for an external domain, it adds an Extended DNS (EDNS) record to it and sends it to the Cisco Umbrella Resolver

Cisco Umbrella evaluates the domain's reputation and security policies that are set up within the portal. Based on this assessment, the request can be allowed, denied, blocked, or the request is referred for further review.

Based on the policies defined on the portal and the reputation of the DNS fully qualified domain name (FQDN), the Cisco Umbrella Integration cloud may perform one of these actions:

• If the FQDN is malicious or blocked by the Enterprise Security policy, the DNS response contains the IP address of the Cisco Umbrella Cloud's blocked landing page. Cisco Umbrella Cloud calls this blocked list action.

• If the FQDN is benign, the DNS answer includes the content provider's IP address. It is a Cisco Umbrella Cloud allowed list action.

• If the FQDN is suspicious, the DNS response includes the intelligent proxy unicast IP addresses. At Cisco Umbrella Cloud, it is called a gray list action.

A blocked list event occurs when the domain is malicious or limited by the policy. The DNS response will return its IP address from the Cisco Umbrella block page instead of the actual destination.

For suspicious domains, Cisco Umbrella returns intelligent proxy IP addresses. This allows further analysis of the traffic before allowing entry to the desired destination can be granted.

• If the DNS query contains a malicious FQDN, Cisco Umbrella Cloud delivers the IP address of the Umbrella block page. When an HTTP client initiates a request to this IP, Cisco Umbrella Cloud shows a page informing the user that the page has been blocked.

• If the FQDN in the DNS query is non-malicious (falls under whitelisted domains), Cisco Umbrella Cloud returns the content provider's IP address. The HTTP client requests the content from this IP address.

• For domains that are greylisted, Umbrella Resolver returns the unicast IP addresses of the intelligent proxy as part of the DNS response. All HTTP traffic from the host to the gray domain is proxied and URL-filtered.

When the device receives when it receives the DNS response, it will send an HTTP or HTTPS signal to the address supplied. The method used depends on the status of the domain: allowed to be blocked, allowed, or flagged as suspicious.