Guides
ProductDeveloperPartnerPersonal
Guides

DNS Policy Precedence

You can design any number of DNS policies to protect your identities and manage access to destinations. When you create a policy, you choose which identities to add to a certain policy. Then, you order the policy listing the highest priority DNS policy first. Umbrella evaluates your policies to match an identity and destination using the order which you set. If a match is not found, Umbrella applies the Umbrella Default policy.

Table of Contents

Match an Identity and Destination to a Policy

You can add the following identity types to a DNS policy:

  • AD Computers
  • AD Groups
  • Chromebooks
  • G Suite OUs
  • G Suite Users
  • Mobile Devices
  • Network Devices
  • Networks
  • Roaming Computers
  • Sites

Note: Tags are not identities, but rather groupings of roaming computer identities. For more information, see Group Roaming Computers with Tags.

When matching an identity and destination to a DNS policy, Umbrella considers each known identity, but only matches a single identity as the primary identity. The Umbrella Activity Search report lists the primary identity as the identity that matches the DNS policy.

Identities without Active Directory Integration

When matching an identity that does not integrate with Active Directory, Umbrella first considers the roaming client identity.

Umbrella checks for a matching roaming client identity in the highest ranked DNS policy. If a match is not found, then Umbrella checks for a matching network identity in the highest ranked DNS policy.

Umbrella evaluates the identities in the following order:

  1. Roaming Client (mobile device, network device, or roaming computer)
  2. Network

Note: When a network identity matches a DNS policy, Umbrella lists the network identity as the primary identity in the Umbrella reports and logs, and includes the roaming client identity as a secondary identity. Conversely, if the roaming client identity matches a DNS policy, Umbrella lists only the roaming client identity in the Umbrella reports and logs.

Identities with Active Directory Integration

Several Umbrella identities integrate with Active Directory (AD). Within the highest ranked DNS policy, Umbrella first checks for a matching AD user identity. If a match is not found, then Umbrella continues to check for a matching identity and destination. Umbrella considers the AD identities higher priority within a list of identities.

Umbrella checks for known identities in this order:

  1. Active Directory (AD) user — AD integration provided by a Virtual Appliance or Roaming Client
  2. Active Directory (AD) computer — AD integration provided by a Virtual Appliance
  3. Internal Network (Site) — AD integration provided by a Virtual Appliance
  4. Umbrella Site — Virtual Appliance with no other identity deployed
  5. Roaming Client — Roaming Client
  6. Network — Uses source IP of the DNS request

DNS Policy without Virtual Appliance

Within a single DNS policy, Umbrella checks for a matching identity in this order:

  1. Mobile devices (Mobile devices connect through a VPN)
  2. Roaming client
  3. Network

Note: The Umbrella Activity Search report only lists the first matching identity. For example, if you add a roaming client and a network to the same DNS policy, and the roaming client is behind the network, then Umbrella records only the roaming client identity in the Activity Search report.

DNS Policy with Virtual Appliance

For a DNS policy that includes a virtual appliance (VA) identity, Umbrella checks for identity matches in this order:

  1. AD user
  2. AD computer
  3. Internal network
  4. Site
  5. Roaming client
  6. Network

Note: When you add a VA and a network or roaming client to an Umbrella DNS policy, you can only view the network and roaming client identities if their DNS is not configured to point to the VA. Generally, we recommend that you configure all computers to point to the VA. If you can view a network identity in the Umbrella dashboard, it may indicate an incomplete configuration.

Configure Policy Order

When you add your DNS policies to Umbrella, list your highest priority DNS policy first. Umbrella evaluates policies from the top down and looks for a matching identity. Once a single match is found, Umbrella applies that policy's settings to the identity and destination and stops evaluating all other DNS policies. If Umbrella cannot find a matching DNS policy, Umbrella uses the Default DNS policy.

Once Umbrella finds a matching DNS policy, it does not evaluate any other policies. For example, if you add an AD User identity AD Admin to two policies: a second-rank policy (Policy One) that blocks google.com and a third-rank policy (Policy Two) that blocks facebook.com. You might think Policy One activates when the user accesses google.com and Policy Two activates when the user accesses facebook.com, blocking both google.com and facebook.com for AD Admin. However, this is incorrect since Umbrella only matches once by identity with the highest-ranking policy. Because it is the highest-ranking policy that applies to AD Admin, Policy One is matched. Umbrella applies Policy One and ignores Policy Two, and facebook.com is never blocked.

To test if your policies are working as intended, use the Umbrella Policy Tester. See Umbrella Policy Tester.

You can drag and drop policies to change their ranking order.

  1. Navigate to Policies > Management > All Policies.

  1. Drag and drop policies to re-order policies and reset precedence.
958

Identity Combinations

You can choose any combination of identities in a policy. For example, you can add a user in AD to several different policies and include as:

  • An individual user
  • One of many AD users

For example, if you add an AD User identity AD Admin to two policies: a second-rank policy (AD Users Policy) that applies to all AD Users and a third-rank policy (Restrictive Users Policy) that is more restrictive and that only applies to the specific user AD Admin. Because it is the highest-ranking policy of the two policies, the AD Users Policy is the first match in the execution order. Umbrella applies AD Users Policy and ignores Restrictive Users Policy.

Policies and Block Page Bypass Settings

Policy precedence also has an impact on using bypass codes and bypass users. You enable Block Page Bypass (BPB) codes and users for each policy. If your bypass code is not working or the "Admin" bypass link does not appear, check that the bypass code or user is enabled for the policy. To enable a code or user, check the box next to the code or user, then save the policy.

2011

Test a DNS Policy < DNS Policy Precedence > Best Practices for DNS Policies