Set Up DNS-Layer Security

To start protecting your users and devices, enable Umbrella DNS-layer security. DNS-layer security is the most effective way to protect your users everywhere in minutes. You can protect your networks and devices with DNS-layer security through the DNS policy.

Note: You can only enable the intelligent proxy through the DNS policy. For more information about the intelligent proxy, see Manage the Intelligent Proxy.

Table of Contents

• Step 1: Add a Network Identity
• Step 2: Configure Your DNS Settings
• Step 3: Set Up Clients, Network Devices, and Virtual Appliances (Optional)
• Step 4: Add a DNS Policy
• Step 5: Test Your DNS Policies

Step 1: Add a Network Identity

1. Log into Umbrella.
2. Add a Network identity.

An identity is an entity that Umbrella protects through policies and monitors through reports. For more information, see Add a Network Identity.

Step 2: Configure Your DNS Settings

To enable Umbrella DNS-layer security, you must configure your operating system, or hardware firewall or router DNS settings to Umbrella's domain name server IP addresses. You must also turn off the automatic DNS servers provided by your internet service provider (ISP). Umbrella supports both IPv4 and IPv6 addresses. For more information, see Point Your DNS to Cisco Umbrella.

After you complete Steps 1 and 2, all users and devices on your network are protected. For additional visibility and control, per-user or per-IP policy, or internal IP address logging, continue to Step 3. Otherwise, you can skip to Step 4: Add a DNS Policy.

Step 3: Set Up Clients, Network Devices, and Virtual Appliances (Optional)

Set up a roaming computer, network device, mobile device, Chromebook, or Virtual Appliance.

• Set Up an Umbrella Roaming Client or AnyConnect Roaming Security Module
• Set Up an Umbrella Mobile Client App
• Set Up a Network Device
• Set Up a Chromebook Client
• Set Up a Virtual Appliance

Set Up an Umbrella Roaming Client or AnyConnect Roaming Security Module

Umbrella offers two endpoint agents for Windows and macOS: AnyConnect Roaming Security Module and Umbrella Roaming Client. You can use either endpoint agent on-network for enhanced visibility and control, and seamless policy that follows the user. We recommend the AnyConnect Roaming Security Module.

Most Umbrella subscriptions include the AnyConnect Roaming Security Module. The AnyConnect Roaming Security Module does not require the use of a Cisco VPN, and it is highly compatible with third-party VPNs. For more information, see The AnyConnect Plugin: Umbrella Roaming Security.

Set Up an Umbrella Mobile Client App

• iOS: For information about setting up the Umbrella iOS app, see Cisco Security Connector Umbrella Setup Guide.
• Android: For information about setting up the Umbrella Android app, see Android Client User Guide.

Set Up a Network Device

A Network Device represents the integration of a specific type of device—a router, switch, access point, or firewall—with Umbrella. A Network Device provides DNS traffic redirection to Umbrella and encryption. Some Network Devices provide additional features:

• Adding internal IP addresses to DNS requests for enhanced logging.
• Policy by network segment or service set identifier (SSID).

Note: You can only deploy a Network Device on-network. You may deploy a Network Device as an alternative to an Umbrella Virtual Appliance.

To deploy a network device:

1. Log into Umbrella and create an Umbrella Network Device API key.
2. Register the Umbrella Network Device API key with the network device.
3. Add a network device identity to a DNS policy.
4. Confirm protection is working on the network.

For more information about hardware network devices, see Hardware Deployments.

For information about the Umbrella Network Devices and Policies API, see Network and Devices Policies API Overview.

Set Up a Chromebook Client

Umbrella provides DNS security-layer protection for Chromebook users on and off network through the Umbrella Chromebook client. For more information, see Chromebook Client User Guide.

Set Up a Virtual Appliance

An Umbrella virtual appliance (VA) is a lightweight virtual machine that is compatible with VMware ESX/ESXi, Windows Hyper-V, Nutanix, and KVM hypervisors. You can use the Umbrella VA with the Microsoft Azure, Google Cloud Platform, and Amazon Web Services cloud platforms.

Use the Umbrella Virtual Appliance to:

• Serve as a conditional DNS forwarder
• Enable Active Directory (AD) integration

For more information, see Virtual Appliance User Guide.

Step 4: Add a DNS Policy

Add a DNS policy and enable an identity in the DNS policy. For more information, see Manage DNS Policies.

Step 5: Test Your DNS Policies

You can evaluate the configuration of your DNS-layer security and Umbrella DNS policies. To get started, run the DNS policy tester, load an Umbrella test URL in a browser, or view the reports for the identities in your system.

Test DNS Policies:

• Test a DNS Policy

Test Destinations or File Analysis and Inspection:

• Test Your Destinations
• Test the Intelligent Proxy
• Test File Inspection

View Reports and Monitor Your Identities and Traffic:
You can view the traffic from your identities, audit administrative changes in the system, and monitor potential threats in your networks through the Umbrella Admin Audit Log, Activity Search, and Security Activity reports. For newly added identities, the first report may take up to one hour to appear. After the initial delay, DNS queries appear in reports in a few seconds. For more information, see Get Started with Reports.

Get Started < Set Up DNS-Layer Security > Point Your DNS to Cisco Umbrella