The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The SD-WAN Umbrella Integration feature enables cloud-based security service by inspecting the Domain Name System (DNS) query
that is sent to the DNS server through the device. The security administrator configures policies on the Umbrella portal to
either allow or deny traffic towards the fully qualified domain name (FQDN). The router acts as a DNS forwarder on the network
edge, transparently intercepts DNS traffic, and forwards the DNS queries to the Umbrella cloud.
Overview of Cisco SD-WAN Umbrella Integration
The Cisco SD-WAN Umbrella Integration feature provides cloud-based security service by inspecting the DNS query that is sent
to the DNS server through the device. When a host initiates the traffic and sends a DNS query, the Umbrella Connector in the
device intercepts and inspects the DNS query. If the DNS query is for a local domain, it forwards the query without changing
the DNS packet to the DNS server in the enterprise network. If it is for an external domain, it adds an Extended DNS (EDNS)
record to the query and sends it to Umbrella Resolver. An EDNS record includes the device identifier information, organization
ID and client IP. Based on this information, Umbrella Cloud applies different policies to the DNS query.
The Umbrella Integration cloud, based on the policies configured on the portal and the reputation of the DNS Fully Qualified
Domain Name (FQDN) may take one of the following actions:
If FQDN is found to be malicious or blocked by the customized Enterprise Security policy, then the IP address of the Umbrella
Cloud's blocked landing page is returned in the DNS response. This is called a blocked list action at Umbrella Cloud.
If FQDN is found to be non-malicious, then the IP address of the content provider is returned in the DNS response. This is
called a allowed list action at Umbrella Cloud.
If the FQDN is suspicious, then the intelligent proxy unicast IP addresses are returned in the DNS response. This is referred
to as grey list action at Umbrella Cloud.
When the DNS response is received, the device forwards the response back to the host. The host will extract the IP address
from the response and send the HTTP / HTTPS requests to this IP.
Note: The intelligent proxy option has to be enabled in the Umbrella dashboard for the Umbrella Resolver to return the intelligent
proxy unicast IP addresses in the DNS response when an attempt is made to access the domains in the grey list.
Handling HTTP and HTTPs Traffic
With Cisco SD-WAN Umbrella Integration, HTTP and HTTPs client requests are handled in the following ways:
If the Fully Qualified Domain Name (FQDN) in the DNS query is malicious (falls under blocked domains), Umbrella Cloud returns
the IP address of the blocked landing page in the DNS response. When the HTTP client sends a request to this IP, Umbrella
Cloud displays a page that informs the user that the requested page was blocked and the reason for blocking the page.
If the FQDN in the DNS query is non-malicious (falls under allowedlisted domains), Umbrella Cloud returns the IP address of
the content provider. The HTTP client sends the request to this IP address and gets the desired content.
If the FQDN in the DNS query falls under grey-listed domains, Umbrella Resolver returns the unicast IP addresses of intelligent
proxy in the DNS response. All HTTP traffic from the host to the grey domain gets proxied through the intelligent proxy and
undergo URL filtering.
One potential limitation in using intelligent proxy unicast IP addresses is the probability of the datacenter going down when
the client is trying to send the traffic to the intelligent proxy unicast IP address. This is a scenario where a client has
completed DNS resolution for a domain which falls under grey-listed domain and client’s HTTP/(S) traffic is being sent to
one of the obtained intelligent proxy unicast IP address. If that datacenter is down, then the client has no way of knowing
it.
The Umbrella Connector does not act on the HTTP and HTTPS traffic. The connector does not redirect any web traffic or alter
any HTTP/(S) packets.
Encrypting the DNS Packet
The DNS packet sent from the device to Umbrella Integration server must be encrypted if the EDNS information in the packet
contains information such as user IDs, internal network IP addresses, and so on. When the DNS response is sent back from the
DNS server, device decrypts the packet and forwards it to the host. You can encrypt DNS packets only when the DNScrypt feature
is enabled on the device.
The device uses the following Anycast recursive Umbrella Integration servers:
208.67.222.222
208.67.220.220
2620:119:53::53
2620:119:35::35
Restrictions for Umbrella Integration
If an application or host uses IP address directly instead of DNS to query domain names, policy enforcement is not applied.
When the client is connected to a web proxy, the DNS query does not pass through the device. In this case, the connector does
not detect any DNS request and the connection to the web server bypasses any policy from the Umbrella portal.
When the Umbrella Integration policy blocks a DNS query, the client is redirected to a Umbrella block page. HTTPS servers
provide these block pages and the IP address range of these block pages is defined by the Umbrella portal.
The type A, AAAA, and TXT queries are the only records that are redirected. Other types of query bypasses the connector. Umbrella
Connector maintains a list of IP address that is known for malicious traffic. When the Umbrella roaming client detects the
destination of packets to those addresses, it forwards those addresses to Umbrella cloud for further inspection.
Only the IPv4 address of the host is conveyed in the EDNS option.
A maximum of 64 local domains can be configured under bypass list, and the allowed domain name length is 100 characters.
Prerequisites for Umbrella Integration
Before you configure the Umbrella Integration feature, ensure that the following are met:
The device has a security K9 license to enable Umbrella Integration.
The device runs on the SD-WAN IOS XE 16.10 software image or later.
SD-WAN Umbrella subscription license is available.
The device is set as the default DNS server gateway and needs to ensure that the DNS traffic goes through the device.
Configure Umbrella API Token
To configure Umbrella API token:
In Cisco vManage NMS, select the Configuration > Security tab > Custom Options on the right side to configure the Umbrella API.
Select Umbrella API Token.
Enter token number in the Umbrella Token field.
Note
Must be exactly 40 hexadecimal.
Click Save Changesto configure the Umbrella API Token.
Define Domain Lists
To define Domain-List, use the vManage security configuration wizard:
In Cisco vManage NMS, select the Configuration > Security tab > Custom Options in the right side.
Click on Lists in the Custom Options drop-down.
Select Domain from the left pane.
Click on New Domain List to create a new domain list or select the domain name and click on pencil icon on the right side for the existing list.
Enter the Domain List Name, Add Domain and click Add to create the list.
Configure Umbrella DNS Policy Using vManage
To configure umbrella through DNS Security:
In Cisco vManage NMS, select the Configuration > Security tab in the left side panel.
Click Add Security Policy. The Add Security Policy wizard appears.
The Add Security Policy configuration wizard opens, and various use-case scenarios display.
In Add Security Policy, select Direct Internet Access.
Click Proceed to add an Umbrella DNS Security policy in the wizard.
In the Add Security Policy wizard, select DNS Security tab to create a new DNS Security policy.
Click the Add DNS Security Policy drop-down and select from the following options:
Create New - A DNS Security - Policy Rule Configuration wizard appears and continue with Step 8.
Copy from Existing - A Copy from Existing DNS Security Policy wizard appears. Select a Policy from the drop-down and enter Policy Name and copy the policy to a device.
If you are creating a new policy using Create New, a DNS Security - Policy Rule Configuration wizard appears.
Enter a policy name in the Policy Name field.
The Umbrella Registration Status displays the status about the API Token configuration.
Click on Manage Umbrella Registration to add a token.
Select Match All VPN option if you need to keep the same configuration for all the available VPNs and continue with Step 13.
Or select Custom VPNConfiguration if you need to add target VPNs to your policy. A Target VPNs wizard appears.
To add target VPNs, click Target VPNs in the Add DNS Security Policy wizard.
Click Save Changes to add the VPN.
Select the domain bypass from the Local Domain Bypass List drop-down as shown.
Configure the DNS Server IP from the following options:
Umbrella Default
Custom DNS
Click on the Advanced tab to enable or disable the DNSCrypt. By default, the DNSCrypt is enabled.
Click Save DNS Security Policy to configure DNS Security policy. The Configuration > Security screen is then displayed, and the DNS Policy list table includes the newly created DNS Security Policy.
Apply DNS Umbrella Policy to an IOS XE Router
To apply DNS Umbrella Policy:
In vManage NMS, select the Configuration > Templates screen.
In the Device tab, select From Feature Template from the Create Template drop-down,.
From the Device Model drop-down, select one of the IOS XE devices.
Click the Additional Templates tab. The screen scrolls to the Additional Templates section.
From the Security Policy drop-down, select the name of the Umbrella DNS Security Policy you configured in the above procedure.
Click Create to apply Umbrella policy to a device.
Monitoring Umbrella Feature
You can monitor the registered VPNs, DNSCrypt status, packet counts for required timestamps on a umbrella configured router
using the following steps.
To monitor the status of Umbrella DNS Configuration on IOS XE device:
From the Monitor > Network screen, select an IOS XE device.
In the left panel, under Security Monitoring, select Umbrella DNS Re-direct tab. The Umbrella DNS Re-direct wizard displays showing how many packets are redirected to configured DNS server.
Click on Local Domain Bypass to monitor the packet counts showing how many packets are bypassed to DNS server.
Umbrella Integration Using CLI
Configure the Umbrella Connector
Communication for device registration to the Cisco Umbrella server is via HTTPS. This requires a DigiCert root certificate
which is auto installed on the router by default.
To configure Umbrella Connector:
Get the API token from the Umbrella portal.
Define VRFs and each VRF can has two options: DNS resolver and enabling local domain list.
Umbrella registration is done per VRF only if DNS resolver is configured as Umbrella.
Local domain bypass list is global and each VRF can enable or disable the local domain bypass list. If enabled, the DNS packet
will be matched against the local domain list.
Umbrella is a Direct Internet Access (DIA) feature, so NAT configuration is mandatory.
Sample configuration:
Device# config-transaction
Device(config)# parameter-map type umbrella global
Device(config-profile)#?
parameter-map commands:
dnscrypt Enable DNSCrypt
exit Exit from parameter-map
local-domain Local domain processing
no Negative or set default values of a command
public-key DNSCrypt provider public key
registration-vrf Cloud facing vrf
resolver Anycast address
token Config umbrella token
udp-timeout Config timeout value for UDP sessions
vrf Configure VRF
Per-VRF options are provided under VRF option:
Device(config)# parameter-map type umbrella global
Device(config-profile)#vrf 9
Device(config-profile-vrf)#?
vrf options:
dns-resolver DNS resolver address
exit Exit from vrf sub mode
match-local-domain Match local-domain list(if configured)
no Negate a command or set its defaults
parameter-map type regex dns_bypass
pattern www.cisco.com
pattern .*amazon.com
pattern .*.salesforce.com
!
parameter-map type umbrella global
token 648BF6139C379DCCFFBA637FD1E22755001CE241
local-domain dns_bypass
dnscrypt udp-timeout 5
vrf 9
dns-resolver 8.8.8.8
match-local-domain
vrf 19
dns-resolver 8.8.8.8
no match-local-domain
vrf 29
dns-resolver umbrella
match-local-domain
vrf 39
dns-resolver umbrella
no match-local-domain
!
The following table captures the per VRF DNS packet behavior:
VRF
dns-resolver
Match-local-domain (dns_bypass)
9
8.8.8.8
Yes
19
8.8.8.8
No
29
umbrella
Yes
39
umbrella
No
Note
The VRFs must be preconfigured. For example, the VRFs 9,19, 29, 39 are preconfigured in the above example.
Sample NAT config for DIA internet connectivity:
ip access-list extended dia-nat-acl
10 permit ip any any
ip nat inside source list dia-nat-acl interface <WAN-facing-Interface> overload
“ip nat outside” MUST be configured under <WAN-facing-Interface>
Configure the Device as a Pass-through Server
You can identify the traffic to be bypassed using domain names. In the SD-WAN device, you can define these domains in the
form of regular expressions. If the DNS query that is intercepted by the device matches one of the configured regular expressions,
then the query is bypassed to the specified DNS server without redirecting to the Umbrella cloud. This sample configuration
shows how to define a regex parameter-map with a desired domain name and regular expressions:
When you configure the device using the parameter-map type umbrella global command, the following values are auto-populated:
DNSCrypt
Public-Key
Public-key
Public-key is used to download the DNSCrypt certificate from Umbrella Integration cloud. This value is preconfigured to
B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79 which is the public-key of Umbrella Integration Anycast servers. If there is a change in the public-key and if you modify
this command, then you have to remove the modified command to restore the default value. If you modify the value, the DNSCrypt
certificate download may fail.
DNSCrypt
DNSCrypt is an encryption protocol to authenticate communications between the device and the Umbrella Integration. When the
parameter-map type umbrella is configured and enabled by default on all WAN interfaces. DNSCrypt gets triggered and a certificate is downloaded, validated,
and parsed. A shared secret key is then negotiated, which is used to encrypt the DNS queries. For every hour this certificate
is automatically downloaded and verified for an upgrade, a new shared secret key is negotiated to encrypt the DNS queries.
To disable DNSCrypt, use the no dnscrypt command and to re-enable DNSCrypt, use the dnscrypt command.
When the DNSCrypt is used, the DNS request packets size is more than 512 bytes. Ensure that these packets are allowed through
the intermediary devices; otherwise, the response may not reach the intended recipients.
Sample umbrella dnscrypt notifications:
Device# show sdwan umbrella dnscrypt
DNSCrypt: Enabled
Public-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
Certificate Update Status:
Last Successfull Attempt: 08:46:32 IST May 21 2018
Certificate Details:
Certificate Magic : DNSC
Major Version : 0x0001
Minor Version : 0x0000
Query Magic : 0x714E7A696D657555
Serial Number : 1517943461
Start Time : 1517943461 (00:27:41 IST Feb 7 2018)
End Time : 1549479461 (00:27:41 IST Feb 7 2019)
Server Public Key : 240B:11B7:AD02:FAC0:6285:1E88:6EAA:44E7:AE5B:AD2F:921F:9577:514D:E226:D552:6836
Client Secret Key Hash: 8A97:BBD0:A8BE:0263:F07B:72CB:BB21:330B:D47C:7373:B8C8:5F96:9F07:FEC6:BBFE:95D0
Client Public key : 0622:C8B4:4C46:2F95:D917:85D4:CB91:5BCE:78C0:F623:AFE5:38BC:EF08:8B6C:BB40:E844
NM key Hash : 88FC:7825:5B58:B767:32B5:B36F:A454:775C:711E:B58D:EE6C:1E5A:3BCA:F371:4285:5E3A
When disabled:
Device# show umbrella dnscrypt
DNSCrypt: Not enabled
Public-key: NONE
Sample configuration steps for dns-resolver and match-local-domain-to-bypass per vrf:
Router(config)# vrf definition 1
Router(config-vrf)# address-family ipv4
Router(config-ipv4)# exit-address-family
Router(config-vrf)# commitCommit complete.
Router(config-vrf)# exit
Router(config)# parameter-map type umbrella global
Router(config-profile)# ?
Possible completions:
dnscrypt
local-domain
public-key
registration-vrf
resolver
token
udp-timeout
vrf
Router(config-profile)# vrf ?
This line doesn't have a valid range expression
Possible completions:
<name:string, min: 1 chars, max: 32 chars> 1
Router(config-profile)# vrf 1
Router(config-profile-vrf)# ?
Possible completions:
dns-resolver
match-local-domain-to-bypass
Router(config-profile-vrf)# dns-resolver umbrella
Router(config-profile-vrf)# match-local-domain-to-bypass
Router(config-profile-vrf)# commit
Commit complete.
Router(config-profile-vrf)# end
Router(config)# vrf definition 2
Router(config-vrf)# address-family ipv4
Router(config-ipv4)# exit-address-family
Router(config-vrf)# commitCommit complete.
Router(config-vrf)# exit
Router(config)# parameter-map type umbrella global
Router(config-profile)# vrf 2
Router(config-profile-vrf)# dns-resolver 8.8.8.8
Router(config-profile-vrf)# no match-local-domain-to-bypass
Router(config-profile-vrf)# commit
Commit complete.
Router(config-profile-vrf)# end
Router#sh umbrella config
Umbrella Configuration
========================
Token: AAC1A2555C11B2B798FFF3AF27C2FB8F001CB7B2
OrganizationID: 1882034
Local Domain Regex parameter-map name: NONE
DNSCrypt: Enabled
Public-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
UDP Timeout: 5 seconds
Resolver address:
1. 208.67.220.220
2. 208.67.222.222
3. 2620:119:53::53
4. 2620:119:35::35
Registration VRF: default
VRF List:
1. VRF 1 (ID: 1)
DNS-Resolver: umbrella
Match local-domain-to-bypass: Yes
2. VRF 2 (ID: 3)
DNS-Resolver: 8.8.8.8
Match local-domain-to-bypass: No
Verify the Umbrella Connector Configuration
Verify the Umbrella Connector configuration using the following commands:
Device# show umbrella config
Umbrella Configuration
========================
Token: 648BF6139C379DCCFFBA637FD1E22755001CE241
OrganizationID: 1892929
Local Domain Regex parameter-map name: dns_bypass
DNSCrypt: Enabled
Public-key: B735:1140:206F:225D:3E2B:D822:D7FD:691E:A1C3:3CC8:D666:8D0C:BE04:BFAB:CA43:FB79
UDP Timeout: 5 seconds
Resolver address:
1. 208.67.220.220
2. 208.67.222.222
3. 2620:119:53::53
4. 2620:119:35::35
Registration VRF: default
VRF List:
1. VRF 9 (ID: 4)
DNS-Resolver: 8.8.8.8
Match local-domain: Yes
2. VRF 19 (ID: 1)
DNS-Resolver: 8.8.8.8
Match local-domain: No
3. VRF 29 (ID: 2)
DNS-Resolver: umbrella
Match local-domain: Yes
4. VRF 39 (ID: 3)
DNS-Resolver: umbrella
Match local-domain: No
The output of VRF will have name and ID. The ID here is VRF ID:
Device# show vrf detail | inc VRF Id
VRF 19 (VRF Id = 1); default RD <not set>; default VPNID <not set>
VRF 29 (VRF Id = 2); default RD <not set>; default VPNID <not set>
VRF 39 (VRF Id = 3); default RD <not set>; default VPNID <not set>
VRF 9 (VRF Id = 4); default RD <not set>; default VPNID <not set>
When DNSCrypt is disabled:
Device# show umbrella config
Umbrella Configuration
========================
Token: 648BF6139C379DCCFFBA637FD1E22755001CE241
OrganizationID: 1892929
Local Domain Regex parameter-map name: dns_bypass
DNSCrypt: Not enabled
Public-key: NONE
UDP Timeout: 5 seconds
Resolver address:
1. 208.67.220.220
2. 208.67.222.222
3. 2620:119:53::53
4. 2620:119:35::35
Registration VRF: default
VRF List:
1. VRF 9 (ID: 4)
DNS-Resolver: 8.8.8.8
Match local-domain: Yes
2. VRF 19 (ID: 1)
DNS-Resolver: 8.8.8.8
Match local-domain: No
3. VRF 29 (ID: 2)
DNS-Resolver: umbrella
Match local-domain: Yes
4. VRF 39 (ID: 3)
DNS-Resolver: umbrella
Match local-domain: No
Display Umbrella Registration Details
The following example displays the device registration information:
Device# show sdwan umbrella device-registration
Device registration details
VRF Tag Status Device-id29
vpn29 200 SUCCESS 010a9b2b0d5cb21f39
vpn39 200 SUCCESS 010a1a2e1989da19
The following example displays the device registration information in detail:
Device# show umbrella deviceid detailed
Device registration details
1.29
Tag : vpn29
Device-id : 010a9b2b0d5cb21f
Description : Device Id recieved successfully
WAN interface : None
2.39
Tag : vpn39
Device-id : 010a1a2e1989da19
Description : De
vice Id recieved successfully
WAN interface : None
Configure Cisco Umbrella Using a CLI Device Template
The show platform hardware qfp active feature umbrella datapath memory command displays CFT information.
Device# show platform hardware qfp active feature umbrella datapath memory
==Umbrella Connector CFT Information==
CFT inst_id 0 feat id 0 fo id 0 chunk id 4
==Umbrella Connector Runtime Information==
umbrella init state 0x4
umbrella dsa client handler 0x2
The show platform hardware qfp active feature umbrella datapath runtime command displays internal information. For example, key index used for DNSCrypt.
Device# show platform hardware qfp active feature umbrella datapath runtime
udpflow_ageout: 5
ipv4_count: 2
ipv6_count: 2
ipv4_index: 0
ipv6_index: 0
Umbrella IPv4 Anycast Address
IP Anycast Address0: 208.67.220.220
IP Anycast Address1: 208.67.222.222
Umbrella IPv6 Anycast Address
IP Anycast Address0: 2620:119:53:0:0:0:0:53
IP Anycast Address1: 2620:119:35:0:0:0:0:35
=DNSCrypt=
key index: 0
-key[0]-
sn: 1517943461
ref cnt: 0
magic: 714e7a696d657555
Client Public Key: A5BA:18C5:5970:6794:E537:3833:06F9:6383:3986:82E4:00F5:D8BE:C1AA:774A:4CBA:6400
NM Key Hash : 16E6:DDC7:53BE:2929:1CDA:06AE:0BE2:C270:6E39:EAE7:F925:78FD:3599:2AB6:74C9:A59D
-key[1]-
sn: 0
ref cnt: 0
magic: 0000000000000000
Client Public Key: 0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000
NM Key Hash : 0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000:0000
Local domain 1
VPN-DEVICEID TABLE d7f37410
Clear Command
The clear platform hardware qfp active feature umbrella datapath stats command clears the Umbrella connector statistics in datapath.