Umbrella Integration with Protective DNS

Umbrella can now be integrated with Protective DNS. You can meet the Protective DNS mandate while leveraging the coverage, flexibility, and fine-grained controls of Umbrella. The integration process consists of four steps that can be completed in under an hour.

The integration uses the Protective DNS Source Set feature, which includes a one-click configuration of Umbrella’s Resolvers as an allowed source. Once Umbrella for Government Resolvers are configured as an approved source and the destination details are configured on the Umbrella backend, the DNS traffic sent to a specialized set of US-based Umbrella DNS Resolvers is routed to Protective DNS for evaluation.

The DNS traffic is identified by Protective DNS as originating from your organization, the traffic is evaluated by the Protective DNS policies, and appear in your Protective DNS logs. Response traffic flows back through Umbrella for Government Resolvers where Umbrella policies are applied before returning the response to you. This integration supports all Umbrella DNS use cases – on-prem, virtual appliance, and both remote and mobile devices.

To integrate Umbrella and Protective DNS for on-prem networks:

1. Configure the SSE Source Set of Protective DNS to use Umbrella for Government Resolvers.
2. Notify Cisco of the Source Set IPv6 address and Organization ID.
3. If virtual appliances are in use, point the Umbrella virtual appliances to the Umbrella for Government Protective DNS Addresses
4. Validate to ensure that your DNS traffic is sent to Protective DNS.

Configure the Source Set of Protective DNS to Use Umbrella for Government Resolvers

A Source Set configuration enables traffic from destination hosts to be accepted by Protective DNS resolvers. The Source Set is used to correlate incoming DNS requests with a specific agency. Configuring Umbrella for Government Resolvers in the Source Set prepares Protective DNS to receive DNS traffic from Umbrella and identify it as originating from the Umbrella.

To Configure the Source Set of Protective DNS to use Umbrella for Government Resolvers:

1. Click My Organization in the header.
2. Click Authorized Sources under the My Organization Header
3. Click Add New.
4. In the Add New Source window:
   1. Select SSE Provider as the Type.
   2. Select Cisco as the Secure Service Edge (SSE) Provider.
   3. Use an existing Source Set or create a new one.
   4. In Description you can specify the groups that will use the Source Set. Configure one Source Set for each Org ID that you have in Umbrella.
5. Click Save.

When saved, the Source Set appears in the Authorized Sources table with a unique IPv6 address.

Notify Cisco of your Source Set IPv6 Address and Organization ID

The Source Set IPv6 address is used along with your Umbrella Organization ID to identify all traffic from your organization’s on-prem, virtual appliance, mobile, remote users and to forward their traffic to Protective DNS. Cisco engineering requires both the Source Set and Organization ID to complete the backend configuration that directs the Umbrella Protective DNS resolvers to forward your user traffic to Protective DNS. Communicate the IPv6 address to Umbrella Support.

To notify Cisco:

1. Identify the Umbrella Source Set configuration in the Authorized Sources table.
2. Identify your Umbrella Organization ID. For more information on identifying your Organization ID, see Find Your Organization ID.
3. Email your Cisco Umbrella Customer Success Manager (CSM) with the Source Set IPv6 address and your Organization ID. If you do not know who your CSM is mail your Cisco Account Manager so the information can be properly forwarded.

Wait for a confirmation from Cisco that the configuration is complete, before moving to the next section.

Validation

Protective DNS redirects requests to hosts that are configured to be blocked to the PDNS lander, rather than returning the address 0.0.0.0. The domain heartbeat.protectivedns.net is used by Protective DNS as a testing address to verify that content blocking is enabled so that customer traffic need not be sent to known malicious domains. A request being sent to Protective DNS can be validated when a request to heartbeat.protectivedns.net is redirected to the PDNS lander.

Step 1) Run nslookup from the command line of a host configured to use Umbrella for Government DNS resolvers
# nslookup heartbeat.protectivedns.net

The response should indicate the PDNS lander address.

Note – Umbrella DNS policies are applied to all inbound DNS queries and blocked requests are dropped immediately without being forwarded to Protective DNS. The Umbrella for Government resolvers also respond immediately to previously approved requests from Protective DNS to speed up customer responses.

These configurations result in some customer requests not appearing in the Protective DNS UI. Customer DNS activity that has been blocked or allowed by Umbrella will appear in the Umbrella UI.

Get Started FAQ > Umbrella Integration with Protective DNS > Limitations and Range Limits