Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2829
Views
0
Helpful
8
Replies

Does Cisco Umbrella rely only on DNS filtering based on categories?

techno.it
Level 1
Level 1

‎11-14-2021 02:22 AM

Trying to understand a little more how DNS filtering works with Cisco Umbrella

 

Does the Umbrella block URL or content filtering or DNS queries based categories that have been chosen to block? Does it even block phishing websites or malicious URLs, perhaps that falls under the allowed category?

0 Helpful
8 Replies 8

Kasun Bandara
VIP
VIP

‎11-14-2021 03:16 AM

Hi,

 

you can do category based filtering with umbrella as well as customized blocking.

 

 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

techno.it
Level 1
Level 1

‎11-14-2021 03:29 AM

@Kasun Bandara 
Thanks for the comment.

 

But does umbrella block the URLs before going through categories or destination list?

Let me illustrate with an example

if user clicks the malicious link, that URL falls under any allowed categories, will it be still allowed.

Secondly, i do not want use Umbrella URL filtering instead just a DNS Security, IP layer protection, malware detection etc

how would that be accomplished 

0 Helpful

Kasun Bandara
VIP
VIP
In response to techno.it

‎11-14-2021 07:27 PM - edited ‎11-14-2021 07:33 PM

Hi,

 

you can block using categories. and if you need to enable some URL inside the group, you need to exclude it from allowed list.

 

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

techno.it
Level 1
Level 1

‎11-14-2021 09:57 PM - edited ‎11-14-2021 09:58 PM

@Kasun Bandara 

Thank you for the clarification. In a sense,  Umbrella filters block websites based on categories that we choose to block. Furthermore, when endpoints send DNS queries to Cisco Umbrella and if the traffic is known to be malicious in the Umbrella database ( Talos), it will respond with the IP address of a block page, thus preventing the connection, even though the URL domain was allowed under categories or destination list.

0 Helpful

adamwin
Cisco Employee
Cisco Employee
In response to techno.it

‎11-17-2021 11:56 AM

That's correct. The only time a malicious site would be allowed is if you explicitly put that domain on a Destination List in Allow mode.

0 Helpful

Danielle Greene
Level 1
Level 1
In response to adamwin

‎04-21-2022 07:25 AM

@adamwin 

Sorry to rehash an old discussion, but I'm curious how Umbrella handles a scenario where a blocked website it being hosted on the same provider IP address as a benign site but has a different URL string. Specifically, if a category is chosen to block (gambling for example) and the website is hosted on the same HTTP server that also hosts other gaming sites that are not blocked by category, does Umbrella evaluate the entire URL to determine if the destination website is blocked? Or does it depend on the DNS resolution of the domain name to determine if the entire site is blocked because the same IP also hosts blocked content? If Umbrella can block the full URL, is the selective proxy feature required and what license level is required?

0 Helpful

adamwin
Cisco Employee
Cisco Employee
In response to Danielle Greene

‎04-22-2022 06:47 PM - edited ‎04-22-2022 06:48 PM

Hi @Danielle Greene - the IP address doesn't come into play in this scenario (though we do sometimes block entire servers if the IP is flagged by our security classifiers). 

 

In the case you are describing, there are two cases:

1) Using Cisco Umbrella DNS layer protection (DNS Essentials or DNS Advantage)

In this case, a domain or subdomain may have one or more categories associated with it. When DNS transactions happen, the entire URL is not revealed, only the fully qualified domain name. So Umbrella DNS protection makes decisions based on the category or categories of the domain. So hypothetically www.example.com/searchengine  and www.example.com/video would share content category or categories in terms of DNS policy because the domain is the same.  By comparison, if different subdomains are used like search.example.com and video.example.com, these destinations could be categorized independently of each other. 

 

2) Using Cisco Umbrella Secure Internet Gateway (SIG Essentials or SIG Advantage)

Secure Internet Gateway includes a web proxy, and when HTTPS decryption is enabled in your policy it can look at the entire URL and make more granular decisions about the content categories. So compared to the previous example, URLs like www.example.com/searchengine and www.example.com/video could be categorized differently even when the domain and subdomain are identical. 

0 Helpful

alirafaleiro
Level 1
Level 1

‎04-22-2022 10:16 PM - edited ‎05-02-2022 04:50 AM

Cisco Umbrella offers security protection for both Home and Enterprise users through filtering DNS requests. The job of the DNS servers is to translate website URLs to their respective IP address. This makes accessing websites much more user-friendly without having to remember long IP addresses.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents