Guides
ProductDeveloper
Guides
ProductDeveloper

Bypass Internal Domains from DNS-over-HTTPS (DoH)

Suggest Edits

Cisco Umbrella provides a secure DNS-over-HTTPS (DoH) service for resolving domain names. However, some customers may prefer to bypass this service in the following scenarios:

  • When internal domains need to be resolved through internal DNS servers instead of Umbrella DoH resolvers, which cannot resolve these domains.
  • When split domains require different resolutions when accessed internally and externally.

To bypass internal domain DNS resolution, use the DNS over HTTPS included and excluded domains feature in the Google Admin console. This feature allows administrators to exclude specific domains from being resolved by Umbrella DoH resolvers, ensuring that internal DNS infrastructure handles these queries.

This solution offers customers the flexibility to manage DNS resolution for specific internal domains through their internal DNS infrastructure.

Note: The DNS over HTTPS included and excluded domains feature is supported starting from ChromeOS version 131. For more details, see the ChromeOS 131 release notes.

Procedure

  1. Log in to Google Admin Console.
  2. Navigate to Devices > Chrome > Settings. The User & browser settings page appears.
  3. Expand Organizational Units, and choose the OU where the DoH settings are applied.
  4. Configure the DNS over HTTPS included and excluded domains option:
  • DNS over HTTPS included domains:
    Enter * to ensure all DNS traffic is sent to Umbrella DoH resolvers by default.
  • DNS over HTTPS excluded domains:
    Enter the domains you want to exclude from Umbrella DoH resolvers, and they will be directed to internal DNS servers.

📘

Note

  • In the DNS over HTTPS excluded domains list, add all the domains listed under Internal Domains (Deployments > Domain Management > Internal Domains) in the Umbrella dashboard.
  • When listing multiple domains, enter each domain on a separate line without using commas or semicolons.

Verification

After configuration, ensure that internal domains are accessible as expected and are resolved by your internal DNS servers rather than by Umbrella DoH resolvers. For further assistance, please contact Cisco support.

Deploy the Chromebook Client > Bypass Internal Domain DNS Resolution > Verify and Debug

Updated about 15 hours ago