As described in the Introduction, virtual appliances (VAs) are conditional DNS forwarders in your network, forwarding public DNS queries to Umbrella, and local DNS queries to your existing local DNS servers/forwarders, respectively.
When the VAs receive queries which match domains or subdomains of a local DNS zone (local domain), the VA forwards those queries to your local DNS server for resolution instead of Umbrella's public DNS resolvers. This is accomplished by defining your local domain names in the Umbrella dashboard.
Do not set your local DNS forwarders to point to the VAs. It's possible to create loops in DNS in this configuration and it's not recommended or supported. The diagram above is meant to represent the typical flow of DNS traffic from a client and not how a local DNS forwarder should be pointed.
- Navigate to Deployments > Configuration > Domain Management.
Any DNS queries received by the VAs which match a domain on the Internal Domains list, or subdomain thereof, will be forwarded to the local DNS server as described in Configure Virtual Appliances.
The following domains/zones are pre-populated and do not need to be added:
- RFC1918—Non-publicly routable address spaces used only for reverse DNS on internal networks. All local IP address space for reverse lookups (PTR records) is covered with this entry. Adding in-addr.arpa reverse lookup zones is not needed.
- .local—Any domain name with a TLD of .local.
You have a choice of what type of identities are set to respect these internal domains:
- All Appliances and Devices
- Roaming Devices Only
- Virtual Appliances Only
If you do not plan on using roaming clients, you may leave this option at the default setting (All Appliances and Devices).
See Manage Destination Lists. Note that only domains may be entered into the Internal Domains list.
Any domain name which has a forward lookup zone on your local DNS servers must be added. If you already know which domains to add, skip this section.
On Windows Server, this information is located in the DNS Manager tool.
- Open the DNS Manager (Start > Run > and type "dnsmgmt.msc").
- Expand the Server name and Forward Lookup Zones sections. Any domains listed here are treated as local by your local DNS forwarders and must be added to the Internal Domains section of the Umbrella dashboard. This is a critical part of the setup process.
- If any public IPs are in use as local IPs, also add the Reverse Lookup Zone of any public IPs which have local DNS records attached. RFC-1918 reverse lookup zones are included by default. These are entered in the in-addr.arpa format.
Adding A and PTR records for the VAs makes them easy to identify within your network topology, including firewall and security appliance logs. Not important? Skip this section.
If you’re unfamiliar with adding A and PTR records, see the Microsoft articles Add a pointer (PTR) resource record to a reverse lookup zoned and Add a host (A or AAAA) resource record to a zone.
After adding A and/or PTR records, verify the records:
Verify PTR record
Enter: "nslookup (VA IP ADDRESS)" in a command prompt. You should see the record in the last line of the result.
nslookup 192.168.1.10 Server:192.168.1.1 Address:192.168.1.1#53 Non-authoritative answer: 9.168.192.in-addr.arpaname = [va01.corp.domain.com]
Verify A record
Enter: "nslookup (VA HOSTNAME)" in a command prompt. You should see the record in the last line of the result.
nslookup va01.corp.domain.com Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: Name: va01.corp.domain.com Address: 192.168.1.9