The OpenDNS Hardware Integrations Developer Hub

Welcome to the OpenDNS Hardware Integrations developer hub. You'll find comprehensive guides and documentation to help you start working with OpenDNS Hardware Integrations as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Integration for ASA – Solution Guide for Umbrella

As the administrator of Cisco Adaptive Security Appliance (ASA), you are able to connect to the free and fast Cisco Umbrella global network DNS service which offers you visibility into all internet traffic originating from your ASA, and result in a faster internet experience for your users. If you then want to add an additional layer of DNS security to your ASA, the easy-to-establish connection to Cisco Umbrella enables you to access our free trial—which you can setup (by yourself) in less than five minutes.

Using the Cisco Umbrella global network's DNS Services

Umbrella's global DNS network (previously OpenDNS) provides access to a leader in network security and DNS services, enabling the world to connect to the Internet with confidence on any device, anywhere, anytime. The Umbrella cloud-delivered network security service blocks command & control callbacks, malware, and phishing from compromising systems and exfiltrating data over any port, protocol, or app. We apply statistical models to real-time and historical DNS data to predict domains that are likely malicious and could be used in future attacks. Umbrella protects all devices globally without hardware to install or software to maintain. Cisco has data centers across all regions of the world to ensure that the first hop to the service is as fast as possible.

This document covers how to configure the Cisco Adaptive Security Appliance (ASA) to use the Umbrella IP addresses of 208.67.222.222 and 208.67.220.220.

Additionally, if you are using a DNS forwarder as the primary DNS server for your network, this document covers how to update Windows 2003 Server, Windows 2008 Server, Windows 2012 Server or BIND Server to use Umbrella's DNS.

Once you’ve configured your Cisco infrastructure to point to Umbrella, you can sign up for either a free premium DNS account or a free 14-day trial of Umbrella.

Free Premium DNS:
We offer a free, fast recursive DNS service which gives you visibility into all of your Internet traffic originating from your ASA device.

Free Umbrella 14-Day Trial:
If you want to add an additional layer of DNS security to your ASA, try our free trial—you can set it up yourself in less than five minutes. Sign up at umbrellla.com today!

Setting up Umbrella for a Cisco Network

Traditionally there are several places where a network administrator might change public recursive DNS settings to use Umbrella, but exactly where the change is made depends on the network configuration.

Note: If you’re not certain whether you have a DNS forwarder on your ASA or DNS server, the best way to determine what needs to be changed is to see what device is being used as the DNS server for client workstations that are receiving DHCP from the network. This information is typically in the DNS section of the network adapter settings on the client workstation.

In smaller networks, such a home or guest network, there are no internal resources that require a DNS server be configured for the network. In that case, changing the DNS Server settings on the gateway appliance (an ASA in this case) from another DNS server to Umbrella is all that is required. The Umbrella IPs may be distributed via DHCP to the endpoint clients to use to resolve web addresses directly, or the gateway router or access point can act as a forwarder and the IP of the router is then the DNS server address for the clients. In a network like this, the instructions for How to configure DNS servers for the Cisco Adaptive Security Appliance DHCP server are applicable.

Most mid-to-large size networks use a DNS forwarder on a DNS server. Typically this is a server running Windows Server with DNS services installed, or a server running BIND. The DNS server resolves requests to internal resources, such as file shares or printers. The DNS forwarder forwards any requests for zones not hosted on the DNS server to Umbrella. Umbrella resolves the domain to an IP and returns that information to the DNS forwarder.

Instructions to update your DNS forwarder to use Umbrella for Windows Server 2003, 2008, 2012 and BIND can be found in the Configuring your DNS Forwarder for Umbrella section of this document.

How to configure DNS client services on the Cisco Adaptive Security Appliance

Note: If the ASA needs to resolve internal DNS then it must use internal DNS servers. In this scenario, the internal DNS servers are configured to use Umbrella as their DNS forwarders.

Example Configuration

hostname(config)# dns domain-lookup inside
hostname(config)# dns server-group Umbrella 
hostname(config-dns-server-group)# name-server 208.67.222.222 208.67.220.220

For more information on DNS configuration, see Configuring the DNS Server.

How to configure DNS servers for the Cisco Adaptive Security Appliance DHCP server

Example Configuration

hostname(config)# dhcpd dns 208.67.222.222 208.67.220.220

For more information on DHCP configuration, see Enabling the DHCP Server.

Configuring your DNS forwarder for Umbrella

Even with a Cisco device in place at the gateway or egress, DNS for networks is often handled by DNS forwarders installed on DNS servers within the network environment. A DNS forwarder is a DNS server on a network that forwards DNS queries for external domain names to the Umbrella servers. A DNS server on a network is designated as a forwarder when the other DNS servers in the network are configured to forward the queries that they cannot resolve locally to that DNS server.

The following instructions cover how to configure your DNS forwarder to use the Umbrella public DNS servers for BIND and Windows Server 2003, 2008 and 2012.

Windows Server 2003 and 2003 R2

  1. From the Start menu, navigate to Administrative Tools > DNS.
  2. Choose the DNS server you want to edit.
  3. Select Forwarders.
  4. Select All Other DNS domains in the DNS domains list.
  5. Add Umbrella IP addresses to the selected server’s forwarder IP address list.

Please write down your current DNS settings before switching to Umbrella, in case you want to return to your old settings for any reason.

Umbrella's addresses are 208.67.222.222 and 208.67.220.220.

  1. Click OK to confirm the changes.

We recommend that you flush the DNS resolver cache of the server and the DNS caches of the clients/users using the DNS server to ensure that your new DNS configuration settings take
immediate effect.

Windows Server 2008 and 2008 R2

  1. From the Start menu, navigate to Administrative Tools > DNS.
  2. Choose the DNS server you want to edit.
  3. Select Forwarders.
  4. Click Edit.
  5. Add Umbrella addresses in the selected server’s forwarder IP address list.

Please write down your current DNS settings before switching to Umbrella, in case you want to return to your old settings for any reason.
Umbrella's addresses are 208.67.222.222 and 208.67.220.220.

  1. Click OK.
  2. Click OK again to confirm the changes.

We recommend that you flush the DNS resolver cache of the server and the DNS caches of the clients/users using the DNS server to ensure that your new DNS configuration settings take immediate effect.

Windows Server 2012 and 2012 R2

  1. In the Start menu, type DNS into Search.
  2. Select DNS from the search results.
  3. Choose the DNS server you want to edit.
  4. Select Forwarders.
  5. Click Edit.
  6. Add Umbrella addresses to the selected server’s forwarder IP address list.

Please write down your current DNS settings before switching to Umbrella, in case you want to return to your old settings for any reason.

Umbrella's addresses are 208.67.222.222 and 208.67.220.220.

  1. Click OK.
  2. Click OK again to confirm the changes

BIND-based DNS server: Configure BIND to use Umbrella via the shell and Webmin

To point your BIND-based DNS server to use Umbrella resolvers for external resolution you need to modify the file named.conf.options and add the Umbrella resolvers as forwarders.
This can be done in one of two ways:

  • Through the command line, Shell\SSH
  • Through a GUI if you have Webmin installed on your BIND server

Shell\SSH Instructions

  1. Connect directly to your server or SSH to it.
  2. Go into /etc/bind.
    Note: this is the default location, so you may need to change this based on your configuration.
  3. Edit named.conf.options in your favorite text editor.
  4. Click Edit.
  5. In named.conf.options, look for a line that starts with forwarders {
    If the forwarders are already configured then just change the current resolver IPs to Umbrella’s IP addresses, which are 208.67.222.222 and 208.67.220.220. If the line starting with "forwarders {" isn’t there, you can add it right above the last };
forwarders {
208.67.222.222;
208.67.220.220;
};
  1. Save the file to confirm your changes.

Webmin Instructions

These steps produce a result that is the exact same as the above, except that the Webmin GUI will modify the file named.conf.options for you.

  1. Log into Webmin and navigate to Servers > BIND DNS Server.
  1. Choose Forwarding and Transfers.
  1. Add Umbrella’s IP addresses, which are 208.67.222.222 and 208.67.220.220, under the Servers to forward queries to section:
  1. Click Save to confirm the changes.

Meraki Cloud-Managed Networks – Solution Guide for Umbrella < Integration for ASA – Solution Guide for Umbrella

Integration for ASA – Solution Guide for Umbrella