The Cisco Umbrella integration enables a cloud-based security service by inspecting the Domain Name System (DNS) query that is sent to the enterprise DNS server through the Cisco 4000 Series or 1100 Series Integrated Services Routers (ISR). The security administrator configures Umbrella policies to either allow or deny traffic towards the fully qualified domain name (FQDN). Cisco 4000 Series or 1100 Series ISR acts as a DNS forwarder on the network edge, transparently intercepts DNS traffic, and forwards the DNS queries to the Cisco Umbrella cloud. This feature is available on Cisco IOS XE Denali 16.3 and later releases.
Note: Looking for information on the ISR G2? See ISR G2 – Configuration Guide. You can configure our DNS servers with an ISR G2, but there is no integration with Umbrella.
16.6.1 was released to General Availability in late July 2017. Features have changed and improvements to the internal mapping of IPs have been made. There are significant differences between the command line interfaces; thus, if you are running 16.6.1, see Release Notes for Cisco 4000 Series ISRs, Cisco IOS XE Everest 16.6 .
Support for the ISR 1100 Series was made available in February 2018. DNSCrypt on the ISR 1100 requires minimum software version: 16.6.3, 16.7.2, or 16.8.1. The integration for the ISR 1100 is exactly the same as with the 4000 series and should be followed according to the steps for the 4000 series.
The full integration guide can be found in Security Configuration Guide: Cisco Umbrella Integration On Cisco 4000 Series ISRs.
Integration for ISR 4K – Security Configuration Guide > Wireless LAN Controller Integration