You've deployed virtual appliances (VAs), configured them, and set up internal domains. Now it's time to test and eventually point production DNS traffic towards them.
To begin enforcing your settings, DNS traffic from the endpoints on your network must exclusively use the VAs as DNS forwarder.
Before configuring endpoints to utilize the VAs for DNS traffic, ensure that the VAs are capable of resolving public and local DNS queries. The simplest test is to open a command prompt from a local endpoint and run the nslookup command:
nslookup opendns.com (VA IP Address)
nslookup opendns.com. 192.168.10.1 Server: 192.168.10.1 Address: 192.168.10.1#53 Non-authoritative answer: Name: opendns.com Address: 220.127.116.11
If the lookup times out, double check that the firewall requirements outlined in Prerequisites have been met.
If the test succeeds, perform the same test again, but this time with a local resource, such as a domain controller or mail server.
nslookup dc01.localdomain.corp. (VA IP Address)
nslookup dc01.localdomain.corp. Server: 192.168.10.1 Address: 192.168.10.1#53 Non-authoritative answer: Name: dc01.localdomain.corp Address: 192.168.10.47
If the result is something other than expected, ensure the domain was added to the Internal Domains section of the Umbrella dashboard as outlined in Local DNS Forwarding.
When deploying the virtual appliance component of Umbrella, we recommend the following for DNS configuration on any internal DNS servers:
- On the DNS server adapter settings, use the loopback address (127.0.0.1) so that the server will use itself for DNS resolution. The second entry should be another internal DNS server.
- On the forwarder settings of the DNS server, we recommend using the Umbrella Anycast IPs (18.104.22.168/22.214.171.124) rather than the virtual appliance IPs. This limits the ability to see the source IP when viewing reports but avoids any problems with DNS loops if there is a misconfiguration on either the VA or internal DNS server.
- If the server also acts as a mail server, the best option is to point to your ISPs DNS servers or other recursive resolvers such as those provided by your ISP.
Before sending most or all of your network's DNS traffic to the VAs, testing with several endpoints is highly recommended. First, change an endpoint's DNS settings to the IPs of the VAs, and then verify the following:
- Local and Remote DNS is functioning—Ensure that local resources, internet resources, and applications are working as expected; this includes cloud-based applications, local websites, and commonly-used resources on the internet in general.
- Verify in the Umbrella Dashboard—Within a few minutes of changing DNS on an endpoint, you should start seeing traffic containing the Internal IP address in the Reports section of the Umbrella dashboard.
Umbrella recommends testing for between two and five days with several computers, preferably from different areas of your organization, before switching all production traffic to the VAs.
If DNS fails to resolve after modifying your DNS settings, confirm that you have met firewall requirements as listed in Prerequisites.
For more information about manually changing DNS settings for Windows and Mac OS X computers, see:
After successful testing, it's time to start utilizing the VAs for production DNS traffic.
The virtual appliances must be the only servers listed as DNS servers. Using a mixture of VAs and other types of DNS servers is not supported.
In most network environments using Windows Server, local IP addressing is handled through the DHCP Manager. To update your endpoints’ DNS settings to point to the VAs, change the DNS Servers in your DHCP scope options.
- Open DHCP Manager. Navigate to Start > Administrative Tools > DHCP.
- Select IPv4 or a specific scope, if applicable.
- Right-click Server Options or Scope Options.
- Select 006 DNS Servers, remove ALL the existing local DNS servers, and add the IP addresses of the VAs.
The VAs must be the only DNS servers in this list. It is not possible to use a mixture of VAs and other DNS servers.
After updating the DNS Servers in the DHCP options, wait for the DHCP leases on the endpoints to expire and see the new changes. In most cases, DHCP lease durations are seven days or less, but sometimes may be set to higher values. We recommend verifying the DHCP lease duration in the DHCP Manager.
Unfortunately, there is no easy way to force an immediate DHCP lease renewal. One method is to use a Group Policy Object to deploy and execute a batch file with the "ipconfig /renew" command in it; this would cause the endpoints to recognize the VAs as their DNS servers. Unfortunately, Umbrella support is unable to assist with the Group Policy Object method or other methods to force DHCP lease renewal on the endpoints. Check the documentation of your typical deployment tools to identify the best method for executing a remote command.