The OpenDNS Hardware Integrations Developer Hub

Welcome to the OpenDNS Hardware Integrations developer hub. You'll find comprehensive guides and documentation to help you start working with OpenDNS Hardware Integrations as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Meraki Cloud-Managed Networks and Umbrella

As the administrator of a Meraki Device, you are able to connect to the free and fast Cisco Umbrella global network DNS service which will offer you visibility into all internet traffic originating from your Meraki device and result in a faster internet experience for your users. If you then want to add an additional layer of DNS security to your Meraki device, the easy-to-establish connection to Umbrella enables you to access our free trial—which you can setup by yourself in less than five minutes.

New: Integrating Meraki and Umbrella

There is now an early-release Meraki MR26.0 firmware version that can be enabled with Meraki support assistance that enables you to integrate Umbrella security policies with the Meraki dashboard. Alternatively, you can still configure your Meraki devices to use Cisco Umbrella regardless of their firmware versions.

Alert: Issue with DNS over TCP

The Meraki MR does not currently intercept DNS queries sent over TCP. Instead, such requests bypass the MR completely, using whichever DNS server the client is configured for. Umbrella and Meraki engineering teams are working to correct this, and expect the issue will be addressed in the near future.

In the meantime, customers affected by this issue can avoid it by registering the egress IP as a network identity in Umbrella, and/or block TCP DNS lookups at the firewall.

Integrating Meraki with Cisco Umbrella

Integrating the Meraki Dashboard and Umbrella DNS allows clients connected to Meraki Access Points to have their DNS traffic filtered through Cisco's Umbrella DNS service. Umbrella DNS filtering can also be configured to apply to wireless clients that have been assigned to a Group Policy from the Meraki Dashboard.

This integration allows Administrators to easily apply and modify DNS-based filtering rules to multiple groups of clients on their network by simply assigning a filtering policy to a specific SSID or Group Policy. Once assigned, all DNS requests from clients under that policy will be automatically redirected to Cisco's Umbrella DNS service where it will be checked against the appropriate policy configured for the Network Device (Meraki SSID or Group Policy) in the Umbrella dashboard.

Click here for instructions for integrating Cisco Umbrella with Meraki MR Networks

Note

Please contact Meraki Support to have this feature enabled. This feature requires an early-release MR26.0 firmware version that can be enabled only with Meraki support assistance. This feature is not currently available for networks containing MR26 access points.

Configuring Meraki to use Cisco Umbrella

The following procedures are for customers who do not have the MR26.0 firmware enabled.

This section describes how to configure the Meraki network to use the Umbrella IP addresses of 208.67.222.222 and 208.67.220.220.

Additionally, if you are using a DNS forwarder as the primary DNS server for your network, this document covers how to update Windows 2003 Server, Windows 2008 Server, Windows 2012 Server or BIND Server to use Umbrella.

Once you’ve configured your Meraki infrastructure to point to Umbrella, you can sign up for either a free premium DNS account or a free 14-day trial of Umbrella.

Free Premium DNS

We offer a free, fast recursive DNS service which gives you visibility into all of your Internet traffic originating from your Meraki device.

Free Umbrella 14-Day Trial

If you want to add an additional layer of DNS security, try our free trial—you can set it up yourself in less than five minutes. Sign up at umbrellla.com today!

Setting up Umbrella for a Meraki network

There are two ways in which you can configure your Meraki networks to use Umbrella. The first is to use DHCP to distribute the Umbrella server IP information directly to clients. This is available on all Meraki platforms. The second method, available only on MX Security Appliances and Z1 Teleworker Gateways, is to configure the MX itself to use the Umbrella servers and to proxy client DNS requests to those same servers.

How to configure Umbrella for clients

For MX Security Appliances

  1. From your cloud dashboard, select Security Appliance > Configure > DHCP.
  2. Under the DHCP scope you wish to configure, choose Use OpenDNS from the DNS nameservers drop-down list. DHCP must be enabled for the desired subnet for this option to appear.

For MS Switches

  1. From your cloud dashboard, select Switch > Configure > Routing and DHCP.
  2. Select the route you wish to modify the DHCP service for, and choose Use OpenDNS from the DNS nameservers drop-down list under DHCP Settings.
    DHCP must be enabled for the desired subnet for this option to appear. For more information on how to configure the DHCP server for MX Security Appliances and MS Switches, see Configuring DHCP Services on the MX and MS.

For MR Access Points (NAT Mode SSIDs only)

  1. From your cloud dashboard, select Wireless > Configure > Access Control.
  2. Select the SSID you wish to configure, and select Custom DNS from the Content filtering drop-down under Addressing and Traffic.
  3. Enter in the Umbrella server IP addresses: 208.67.222.222 and 208.67.220.220.

How to configure your Meraki network to proxy DNS to Umbrella

(MX Security Appliance and Z1 Teleworker Gateway only)

Note: Static IP configuration for the MX and Z1 devices must be performed locally and cannot be done through the cloud dashboard. Once logged into the local status page, browse to the Uplink Configuration page and configure the DNS settings to use 208.67.222.222 and 208.67.220.220 under IP Assignment. This method can only be used with Static IP addressing.
For more information on how to access the local configuration, please see
Using the Cisco Meraki Device Local Status Page.

From your cloud dashboard, select Security Appliance > Configure > DHCP. Under DNS nameservers select Proxy to upstream DNS.

Configuring your DNS forwarder for Umbrella

Even with a Cisco or Meraki device in place at the gateway or egress, DNS for networks is often handled by DNS forwarders installed on DNS servers within the network environment. A DNS forwarder is a DNS server on a network that forwards DNS queries for external domain names to the Umbrella servers. A DNS server on a network is designated as a forwarder when the other DNS servers in the network are configured to forward the queries that they cannot resolve
locally to that DNS server.
The following instructions cover how to configure your DNS forwarder to use the Umbrella public DNS servers for BIND and Windows Server 2003, 2008 and 2012.

Windows Server 2003 and 2003 R2

  1. From the Start menu, navigate to Administrative Tools > DNS.
  2. Choose the DNS server you want to edit.
  3. Select Forwarders.
  4. Select All Other DNS domains in the DNS domains list.
  5. Add Umbrella's addresses to the selected server’s forwarder IP address list.

    Write down your current DNS settings before switching to Umbrella. This will help you if you ever need to return to your old settings.

    Umbrella’s addresses are 208.67.222.222 and 208.67.220.220.

  1. Click OK to confirm the changes.
    We recommend that you flush the DNS resolver cache of the server and the DNS caches of the clients/users using the DNS server to ensure that your new DNS configuration settings take
    immediate effect.

Windows Server 2008 and 2008 R2

  1. From the Start menu, navigate to Administrative Tools > DNS.
  2. Choose the DNS server you want to edit.
  3. Select Forwarders.
  4. Click Edit.
  5. Add Umbrella addresses in the selected server’s forwarder IP address list.

    Write down your current DNS settings before switching to Umbrella. This will help you if you ever need to return to your old settings.

    Umbrella’s addresses are 208.67.222.222 and 208.67.220.220.

  1. Click OK.
  2. Click OK again to confirm the changes.

We recommend that you flush the DNS resolver cache of the server and the DNS caches of the clients/users using the DNS server to ensure that your new DNS configuration settings take immediate effect.

Windows Server 2012 and 2012 R2

  1. In the Start menu, type DNS into Search.
  2. Select DNS from the search results.
  3. Choose the DNS server you want to edit.
  4. Select Forwarders.
  5. Click Edit.
  6. Add Umbrella's addresses to the selected server’s forwarder IP address list.

    Write down your current DNS settings before switching to Umbrella. This will help you if you ever need to return to your old settings.

    Umbrella’s addresses are 208.67.222.222 and 208.67.220.220.

  1. Click OK.
  2. Click OK again to confirm the changes

BIND-based DNS server: Configure BIND to use Umbrella through the shell and Webmin

To point your BIND-based DNS server to use Umbrella resolvers for external resolution you need to modify the file named.conf.options and add the Umbrella resolvers as forwarders. This can be done in one of two ways:

  • Through the command line, Shell\SSH
  • Through a GUI if you have Webmin installed on your BIND server

Shell\SSH Instructions

  1. Connect directly to your server or SSH to it.
  2. Go into /etc/bind.
    Note: this is the default location, so you may need to change this based on your configuration.
  3. Edit named.conf.options in your favorite text editor.
  4. Click Edit.
  5. In named.conf.options, look for a line that starts with forwarders {
    If the forwarders are already configured then just change the current resolver IPs to Umbrella's IP addresses, which are 208.67.222.222 and 208.67.220.220. If the line starting with "forwarders {" isn’t there, you can add it right above the last };
forwarders {
208.67.222.222;
208.67.220.220;
};
  1. Save the file to confirm your changes.

Webmin Instructions

These steps produce a result that is the exact same as the above, except that the Webmin GUI modifies the file named.conf.options for you.

  1. Log into Webmin and navigate to Servers > BIND DNS Server.
  1. Choose Forwarding and Transfers.
  1. Add Umbrella's IP addresses—208.67.222.222 and 208.67.220.220—under the Servers to forward queries to section.
  1. Click Save to confirm the changes.

Integration for ISR G2 – Solution Guide for Umbrella < Meraki Cloud-Managed Networks – Solution Guide for Umbrella > Integration for ASA – Solution Guide for Umbrella