The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

DNS Policy Precedence

Umbrella DNS policies describe destinations and identities, and access control preferences for your identities. You can add identities and destinations to a DNS policy and configure security settings. You can design any number of DNS policies to match your networks.

This guide describes how Umbrella applies DNS policies and policy settings to an identity and destination.

Table of Contents

Add Identities and Configure Policy Settings

You can add the following identity types to a DNS policy:

  • AD Computers
  • AD Groups
  • Chromebooks
  • G Suite OUs
  • G Suite Users
  • Mobile Devices
  • Network Devices
  • Networks
  • Roaming Computers
  • Sites
    Note: Although listed as an identity, Tags is not an identity. Tags permit you to group roaming computer identities together. For more information, see Group Roaming Computers with Tags.

You can also configure the following DNS Policy settings:

Set Up DNS Policies in Priority Order

When you add your DNS policies to the Umbrella dashboard, list your highest priority DNS policy first. Umbrella evaluates policies from the top down—the highest ranked DNS policy—looking for a matching identity and destination. Once a match is found, Umbrella applies that policy's settings to the identity and destination. When a match is found, Umbrella stops evaluating DNS policies. If Umbrella cannot find a matching DNS policy, Umbrella uses the Default DNS policy.

Match an Identity

When matching an identity and destination to a DNS policy, Umbrella considers each known identity, but only matches a single identity as the primary identity. The Umbrella Activity Search and Security Overview reports list the primary identity as the identity that matches the DNS policy.

Identities without Active Directory Integration

When matching an identity that does not integrate with Active Directory, Umbrella first considers the Roaming Client identity.

Umbrella checks for a matching Roaming client identity in the highest ranked DNS policy. If a match is not found, then Umbrella checks for a matching Network identity in the highest ranked DNS policy.

Umbrella evaluates the identities in the following order:

  1. Roaming Client (mobile device, network device, or roaming computer)
  2. Network

Note: When a Network identity matches a DNS policy, Umbrella lists the Network identity as the primary identity in the Umbrella reports and logs, and includes the Roaming Client identity as a secondary identity. Conversely, if the Roaming Client identity matches a DNS policy, Umbrella only lists the Roaming Client identity in the Umbrella reports and logs.

Identities with Active Directory Integration

Several Umbrella identities integrate with Active Directory (AD). Within the highest ranked DNS policy, Umbrella first checks for a matching Active Directory user identity. If a match is not found, then Umbrella continues to check for a matching identity and destination. Umbrella considers the Active Directory identities higher priority within a list of identities.

Umbrella checks for known identities in this order:

  1. Active Directory (AD) user — AD integration provided by a Virtual Appliance or Roaming Client
  2. Active Directory (AD) computer — AD integration provided by a Virtual Appliance
  3. Internal Network (Site) — AD integration provided by a Virtual Appliance
  4. Umbrella Site — Virtual Appliance with no other identity deployed
  5. Roaming Client — Roaming Client
  6. Network — Uses source IP of the DNS request

DNS Policy without Virtual Appliance

Within a single DNS policy, Umbrella checks for a matching identity in this order:

  1. Mobile devices (Mobile devices connect through a VPN)
  2. Roaming Client
  3. Network

Note: The Umbrella Activity Search and Security Overview reports only list the first matching identity. For example, if you add a Roaming Client and a Network to the same DNS policy, and the Roaming Client is behind the network, then Umbrella only records the Roaming Client identity in the Umbrella reports.

DNS Policy with Virtual Appliance

For a DNS policy that includes a Virtual Appliance identity, Umbrella checks for identity matches in this order:

  1. Active Directory user
  2. Active Directory computer
  3. Internal Network
  4. Site
  5. Roaming Client
  6. Network

Note: When you add a Virtual Appliance and a Network or Roaming Client to an Umbrella DNS policy, you can only view the Network and Roaming Client identities if their DNS is not configured to point to the Virtual Appliance. Generally, we recommend that you configure all computers to point to the Virtual Appliance. If you can view a Network identity in the Umbrella dashboard, it may indicate an incomplete configuration.

Apply DNS Policy Settings

Within a policy, Umbrella evaluates the following policy settings, starting with the Allow destination lists. You must have the Intelligent Proxy enabled for Umbrella to check certain policy settings.

  1. Destination lists, Allow.
  2. Application, Allow.
  3. With the Intelligent Proxy enabled, match an application URL in the Allow lists.
  4. Security categories and Integration Block lists.
  5. Destination lists, Block.
  6. With the Intelligent Proxy enabled, match a blocked URL in the "unknown domains" list.
  7. Botnet.
  8. With the Intelligent Proxy enabled, match any URL in the "unknown domains" list.
  9. Application, Block.
  10. Content categories, Block.
  11. With the Intelligent Proxy enabled, check newly seen domains with antivirus (AV) engines and Cisco Advanced Malware Protection (AMP).

Test a DNS Policy < DNS Policy Precedence > Best Practices for DNS Policies

Updated 2 months ago

DNS Policy Precedence


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.