I have deployed the Cisco Umbrella and it's working fine. Now i have a new requirement, we have 5 internal subnets and the company wants to deny the DNS resolution request from 172.30.0.0/16 subnet expect for 172.30.111.0/24 segment on Umbrella.
Hi, The DNS policies are applied top down on a first match basis. If you define the first rule in "Allow-only mode" for 172.30.0.0/16 then that will also effect the 172.30.111.0/24 network. Your top most rule would need to permit from 172.30.111.0/24, the rule below should be "Allow-only mode".
Hi, You don't want the the 172.16.0.0/16 network to resolve any DNS request?
Assuming you are using the Umbrella Virtual Appliance (VA), you could define a couple of DNS policies. Create the first policy, which permits 172.30.111.0/24. And another policy (or the default) which is set to "Allow-only mode", which allows only a list of defined domains and blocks the rest.
Thanks for the response I'm using 2 VA and i have 1 custom security policy on Umbrella. You want me to create another policy on top of that custom policy to block everything for that subnet? and rest all subnet will use secondary policy to access the internet.
Hi, The DNS policies are applied top down on a first match basis. If you define the first rule in "Allow-only mode" for 172.30.0.0/16 then that will also effect the 172.30.111.0/24 network. Your top most rule would need to permit from 172.30.111.0/24, the rule below should be "Allow-only mode".
