DNS Security Function on Cisco Umbrella

DNS Security Function on Cisco Umbrella

When a host starts transmitting traffic and sends a DNS query, the device's Umbrella Connector intercepts and inspects the DNS query. If the DNS query is for a local domain, it transmits the inquiry to the enterprise network's DNS server without modifying the DNS packet. If the query is for an external domain, it adds an Extended DNS (EDNS) record to it and sends it to the Cisco Umbrella Resolver. An EDNS record contains information about the device's identity, the organization ID, and the endpoint's IP address. 

Based on the policies defined on the portal and the reputation of the DNS fully qualified domain name (FQDN), the Cisco Umbrella Integration cloud may perform one of these actions:

• If the FQDN is malicious or blocked by the Enterprise Security policy, the DNS response contains the IP address of the Cisco Umbrella Cloud's blocked landing page. Cisco Umbrella Cloud calls this blocked list action.
• If the FQDN is benign, the DNS answer includes the content provider's IP address. It is a Cisco Umbrella Cloud allowed list action.
• If the FQDN is suspicious, the DNS response includes the intelligent proxy unicast IP addresses. At Cisco Umbrella Cloud, it is called a gray list action.

When the device receives a DNS response, it returns it to the host. The host will use the response's IP address to send HTTP or HTTPS queries.