Guides
ProductDeveloperPartnerPersonal
ProductDeveloperPartnerPersonal

4. Route DNS Traffic

In order for you to begin enforcing your settings, all DNS traffic from the clients on your network should be routed through your virtual appliances (VAs).

When deploying the VA component of Umbrella we recommend the following for DNS configuration on any internal DNS servers:

  • On the DNS server adapter settings, use the loopback address (127.0.0.1) so that the server will use itself for DNS resolution. The second entry should be another internal DNS server.
  • On the forwarder settings of the DNS server, we recommend using the Umbrella Anycast IPs (208.67.222.222/208.67.220.220) rather than the VA IPs. This limits the ability to see the source IP when viewing reports but avoids any problems with DNS loops if there is a misconfiguration on either the VA or internal DNS server.
  • If the server also acts as a mail server, the best option is to point to your ISPs DNS servers or other recursive resolvers such as those provided by your ISP.

Test DNS

  1. First, start by testing on a few devices by manually configuring their DNS settings to use the VAs. Try different operating systems or hardware types (for example, mobile devices) to ensure compatibility with all your devices.

🚧

Important

When testing the policy enforcement, some DNS responses may already be cached for several minutes to days. You should flush the DNS cache through the browser and the OS to avoid waiting for the cached responses to expire

  1. If possible, a good next step is to change the DNS settings for a specific DHCP server pool or scope in your organization.
  2. Once you’ve verified correct enforcement of policies with your pilot group of computers, you can either stage the cutover to using the VAs for DNS or cut over the entire organization. The best time to affect the cutover is typically after users log out for the day. Note that there's no easy way to force clients to renew their DHCP scope remotely or automatically, 
  3. When users log in after the installation is complete, they should begin sending all DNS queries to the one of the VAs forwarding DNS traffic.

Note: Most stub DNS resolvers, those that reside on endpoint devices, do not have a true primary vs. secondary DNS server relationship. Stub DNS resolvers’ behavior on many operating systems is undocumented in regards to which DNS server they will use at any time.

3. Configure Policies < 4. Route DNS Traffic > Appendix A – Communication Flow and Troubleshooting

Updated 4 months ago