The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Local DNS Forwarding

As described in the Introduction, virtual appliances (VAs) are conditional DNS forwarders in your network, forwarding public DNS queries to Umbrella, and local DNS queries to your existing local DNS servers/forwarders, respectively.

When the VAs receive queries which match domains or subdomains of a local DNS zone (local domain), the VA forwards those queries to your local DNS server for resolution instead of Umbrella's public DNS resolvers. This is accomplished by defining your local domain names in the Umbrella dashboard.


Do not set your local DNS forwarders to point to the VAs. It's possible to create loops in DNS in this configuration and it's not recommended or supported. The diagram above is meant to represent the typical flow of DNS traffic from a client and not how a local DNS forwarder should be pointed.

Domain Management and the Umbrella Dashboard

  1. Navigate to Deployments > Configuration > Domain Management.

Any DNS queries received by the VAs which match a domain on the Internal Domains list, or subdomain thereof, are forwarded to the local DNS server as described in Configure Virtual Appliances.

The following domains and zones are pre-populated and do not need to be added:

  • RFC1918—Non-publicly routable address spaces used only for reverse DNS on internal networks. All local IP address space for reverse lookups (PTR records) is covered with this entry. Adding reverse lookup zones is not needed.
  • .local—Any domain name with a TLD of .local.
  1. Click Add.
    You have a choice of what type of identities are set to respect these internal domains:
    • All Sites—Covers all requests that are made through a VA.
    • Sites listed under All Sites—Covers requests only made through VAs deployed in the selected sites.
    • All Devices—Covers all requests that are made through a roaming device.

If you do not plan on using roaming clients, you may leave this option at the default setting—All Sites and All Devices.

What format does the internal domains list accept?

See Manage Destination Lists. Note that only domains may be entered into the Internal Domains list.

Which domains should be added?

Any domain name which has a forward lookup zone on your local DNS servers must be added. If you already know which domains to add, skip this section.

On Windows Server, this information is located in the DNS Manager tool.

  1. Open the DNS Manager (Start > Run > and type "dnsmgmt.msc").
  2. Expand the Server name and Forward Lookup Zones sections. Any domains listed here are treated as local by your local DNS forwarders and must be added to the Internal Domains section of the Umbrella dashboard. This is a critical part of the setup process.
  3. If any public IPs are in use as local IPs, also add the Reverse Lookup Zone of any public IPs which have local DNS records attached. RFC-1918 reverse lookup zones are included by default. These are entered in the format.

(Optional) Add A & PTR Records for the VAs

Adding A and PTR records for the VAs makes them easy to identify within your network topology, including firewall and security appliance logs.

If you’re unfamiliar with adding A and PTR records, see the Microsoft articles:

After adding A and/or PTR records, verify the records:

Verify PTR record
Enter: "nslookup (VA IP ADDRESS)" in a command prompt. You should see the record in the last line of the result.

    Non-authoritative answer: = []

Verify A record
Enter: "nslookup (VA HOSTNAME)" in a command prompt. You should see the record in the last line of the result.

    Non-authoritative answer:  

Configure Virtual Appliances < Local DNS Forwarding > Reroute DNS

Updated 5 months ago

Local DNS Forwarding

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.