Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6415
Views
0
Helpful
5
Replies

Umbrella dns settings for VA

vishal77
Level 1
Level 1

‎05-26-2021 04:33 AM

Hello All,

 

Configure 2 virtual appliances for umbrella in different esxi host. My internal network subnet lies in 192.168.0.0/16 where dns server had ip 192.168.10.xx/24 and virtual appliances had ip 192.168.20.xx/24 and user subnets lies on 192.168.1.0/23. 

Basically wants to know the below settings for users dns traffic to be diverted to virtual appliances for external dns request and then goes to umbrella but does not for internal dns request.

 

1) should I need to change the network adapter of dns server to some localhost i.e 127.0.0.1 as VA would now take action on dns request come from users

2) what will be forwarders ip in dns server (umbrella open dns ip 208.67.222.222/208.67.220.220 or VA ip address)

3) what will be user systems IP address (umbrella open dns ip 208.67.222.222/208.67.220.220 or VA ip address)

 

Please respond

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎05-26-2021 06:18 AM

On the DNS server adapter settings, use the loopback address (127.0.0.1) so that the server will use itself for DNS resolution. The second entry should be another internal DNS server.

 

On the forwarder settings of the DNS server, we recommend using the Umbrella Anycast IPs (208.67.222.222/208.67.220.220) rather than the VA IPs. This limits the ability to see the source IP when viewing reports but avoids any problems with DNS loops if there is a misconfiguration on either the VA or internal DNS server.

 

The users will use the Umbrella VA ip address for it's DNS server, this way Umbrella will learn the source IP address of the DNS queries.

 

https://docs.umbrella.com/deployment-umbrella/docs/7-route-dns-traffic

https://docs.umbrella.com/deployment-umbrella/docs/appx-a-communication-flow-and-troubleshooting

0 Helpful

Jay Ponce
Cisco Employee
Cisco Employee

‎05-26-2021 07:10 AM

To provide visibility and enhance Layer 2 (DNS) Security you will want to forward all of your DNS settings of the client computers to the VA servers. The two VA DNS servers will forward all of your internal domain request to your DC DNS Server and external DNS request to OpenDNS (208.67.222.222 and 208.67.220.220) as it will check for the policies that you have implemented for your network. Under the Umbrella portal, you will need to download the Active Directory components to integrate the internal DNS Servers with Umbrella.


1) should I need to change the network adapter of dns server to some localhost i.e 127.0.0.1 as VA would now take action on dns request come from users

   Depends if your DNS server is the Domain Controller. If it is, change your network adapter DNS settings to 127.0.0.1 and add the secondary DC. You want your internal DNS Servers to point to at least 2 DC's for redundancy.

2) what will be forwarders ip in dns server (umbrella open dns ip 208.67.222.222/208.67.220.220 or VA ip address)

   Either OpenDNS or VA ip addresses will work. Just make sure you have the network and active directory configured correctly under the Umbrella admin portal.

3) what will be user systems IP address (umbrella open dns ip 208.67.222.222/208.67.220.220 or VA ip address)

    The clients will need to utilize the VA IP addresses. The VA servers will forward your domain request to the internal servers and external request to OpenDNS servers.

0 Helpful

vishal77
Level 1
Level 1
In response to Jay Ponce

‎05-26-2021 09:26 AM

Hi Jay,

 

Thanks for replying.

 

But changing the network adapter settings of dns server to localhost 127.0.0.1 (currently having ip address 192.168.10.xx/24) would not remove it network ? and unable to manage it if required. Also what you mean by adding secondary DC ?.

 

Also one more question

Is there any specific configuration need to do for users need to access internal domain websites wihtout forwarding it to umbrella

 

Thanks in advance

0 Helpful

Jay Ponce
Cisco Employee
Cisco Employee
In response to vishal77

‎05-27-2021 08:24 AM

So if the DNS Server is a Domain Controller (which is by default) you will not remove it from the network by changing the DNS settings to 127.0.0.1. If the DNS server is not a DC then the DNS Server needs to be pointing to the primary DC and a secondary DC for redundancy.

Our recommendation and design for Umbrella is to send all of the queries to the VA servers. This will provide more visibility to Umbrella and security to the infrastructure. I assume they are workarounds; however, they are not going to be best practices.

0 Helpful

vishal77
Level 1
Level 1
In response to Jay Ponce

‎05-28-2021 04:45 AM

Thank you jay

0 Helpful
Customers Also Viewed These Support Documents