Domain Management

Umbrella's Domain Management feature allows DNS queries for certain domains to query the local network's DNS servers instead of Cisco Umbrella when using the Umbrella AnyConnect roaming security module.

Without specifying internal domains, all DNS queries are sent directly to Umbrella, and as a result, can't reach your network's local resources—computers, servers, and printers—on internally-hosted domains that rely on local DNS servers.

To ensure uninterrupted access to these resources, administrators should add the appropriate domains to the Internal Domains list. Umbrella syncs the internal domains to your roaming users. All domains added to the Internal Domains list resolve DNS records as if the Umbrella AnyConnect roaming security module was not installed on the computer.

The Umbrella AnyConnect roaming security module determines which domains are internal domains based on these sources:

  • Internal Domains list
  • DNS suffixes

Table of Contents

Internal Domains

Populate the Internal Domains list with domains used by your organization to access local resources while on the organization's network (at the physical location or connected through VPN). Internal Domains is pre-populated with the .local TLD and all RFC-1918 (private network) reverse DNS address space. Newly added domains sync to Umbrella roaming clients within about one hour.

For more information about Domain Management, see Add Domains.

Note: Umbrella bypasses HTTPS requests for domains listed in Internal Domains.

DNS Suffixes

The domains contained in the DNS suffixes configuration on a computer's adapter and global network settings are imported automatically into the Umbrella Internal Domains list each time the Umbrella roaming client starts or a new network adapter (such as a VPN or Wireless connection) is initiated. This is to help Umbrella roaming clients adapt in foreign networks where they may want to access local resources without adding the domain through the dashboard.


  • An organization may rely on DNS suffixes and not add any domains to the Umbrella Internal Domains list. If DHCP is configured to use your domains as DNS Suffixes, the Umbrella roaming client can automatically route the domain locally, even without adding the domain to the Internal Domains list.
  • An organization may assume that using DNS suffixes to populate the Internal Domains list, increases the security of their networks. Since DNS queries sent to domains on the Internal Domains list are sent unencrypted, this implies that a machine performing DNS queries for domains that have been added in the dashboard is always sent unencrypted on all networks.

During installation, you can disable the feature that adds the domains contained in the DNS suffixes list to the Internal Domains list. For more information, see special command-line parameter.

Operational Flowchart

The following flowchart explains how the AnyConnect roaming security module gracefully handles internal and external DNS queries.

1. Internal Domains 

The Umbrella roaming client's Internal Domains list is populated by two sources:

  • Syncing the Umbrella Internal Domains list.
  • The DNS Suffixes list located in the local computer's networking configuration settings.

2. External Queries

External DNS queries that do not match a domain located on either of the Internal Domains lists are sent directly to Umbrella.


3. Internal Queries

  • DNS queries for domains contained in the Internal Domains list are sent through the local network's DNS servers.
  • Internal Domains that are hosted on the local network are resolved by the Internal DNS server directly (as seen with
  • Internal Domains that are not hosted on the local network are resolved by Umbrella or whichever public DNS servers are used for resolution (as seen with

Advanced Topics

The following section focuses on more in-depth information and logic with internal domains and expected behavior.


Although the Umbrella roaming client is able to send encrypted DNS queries to Umbrella when in the encrypted state, domains listed on the Internal Domains list are sent unencrypted, because they are not sent to Umbrella.

Virtual Appliances

If virtual appliances (VAs) are deployed at one or multiple locations within your organization, the Umbrella roaming client disables itself and DNS settings revert to the VA while connected to the location physically or through VPN. For more information about the Umbrella roaming client's behavior with VAs, see Virtual Appliances.

If all of your organization's locations are using VAs, we recommend that you configure the Internal Domains list for Appliances only not Appliances and Devices. Any time that the Umbrella roaming client is not connected to the network, it uses Internal Domains set to Appliances Only and considers any DNS queries to your domain as a public query (encrypted).

Virtual Appliances < Domain Management > Configure Protected Networks for Roaming Computers