The OpenDNS Hardware Integrations Developer Hub

Welcome to the OpenDNS Hardware Integrations developer hub. You'll find comprehensive guides and documentation to help you start working with OpenDNS Hardware Integrations as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Integration for ASA Overview

The Umbrella ASA Integration allows administrators to add their Cisco Adaptive Security Appliance (ASA) to their Umbrella configuration as a per-interface policy. The Umbrella connector enables the ASA to redirect DNS queries to Umbrella.

Bypass Firepower Module for Umbrella Traffic

Cisco Umbrella and ASA FirePOWER processing are not compatible for a given connection. If you want to use both services, you must exclude UDP/53 and UDP/443 from ASA FirePOWER processing. For more details, see Cisco ASA documentation.

The Umbrella connector is apart of the ASA's DNS inspection engine. If your existing DNS inspection policy map decides to block or drop a request based on your DNS inspection settings, the request is not forwarded to Umbrella.

This allows for two lines of protection: your local DNS inspection policy and your Umbrella cloud-based DNS inspection policy.

When redirecting DNS queries to Umbrella, the Umbrella connector includes an EDNS (Extension mechanisms for DNS) record. An EDNS record contains the device ID, organization ID, and client IP address. This information is used by your Umbrella policy to determine whether to block or allow traffic.

You can also elect to encrypt DNS traffic using DNSCrypt to ensure the privacy of usernames and internal IP addresses.

Note: There is not a built-in option to maintain an internal domains list. Instead, you can create a policy to bypass SSIDs from Umbrella.

For more information, on Cisco's ASA, see Cisco ASA documentation.

Integration for ASA Overview > Prerequisites

Updated 7 months ago

Integration for ASA Overview

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.