Does Cisco Umbrella rely only on DNS filtering based on categories?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2021 02:22 AM
Trying to understand a little more how DNS filtering works with Cisco Umbrella
Does the Umbrella block URL or content filtering or DNS queries based categories that have been chosen to block? Does it even block phishing websites or malicious URLs, perhaps that falls under the allowed category?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2021 03:16 AM
Hi,
you can do category based filtering with umbrella as well as customized blocking.
Good luck
KB
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2021 03:29 AM
@Kasun Bandara
Thanks for the comment.
But does umbrella block the URLs before going through categories or destination list?
Let me illustrate with an example
if user clicks the malicious link, that URL falls under any allowed categories, will it be still allowed.
Secondly, i do not want use Umbrella URL filtering instead just a DNS Security, IP layer protection, malware detection etc
how would that be accomplished
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2021 07:27 PM - edited 11-14-2021 07:33 PM
Hi,
you can block using categories. and if you need to enable some URL inside the group, you need to exclude it from allowed list.
Good luck
KB
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2021 09:57 PM - edited 11-14-2021 09:58 PM
Thank you for the clarification. In a sense, Umbrella filters block websites based on categories that we choose to block. Furthermore, when endpoints send DNS queries to Cisco Umbrella and if the traffic is known to be malicious in the Umbrella database ( Talos), it will respond with the IP address of a block page, thus preventing the connection, even though the URL domain was allowed under categories or destination list.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2021 11:56 AM
That's correct. The only time a malicious site would be allowed is if you explicitly put that domain on a Destination List in Allow mode.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-21-2022 07:25 AM
Sorry to rehash an old discussion, but I'm curious how Umbrella handles a scenario where a blocked website it being hosted on the same provider IP address as a benign site but has a different URL string. Specifically, if a category is chosen to block (gambling for example) and the website is hosted on the same HTTP server that also hosts other gaming sites that are not blocked by category, does Umbrella evaluate the entire URL to determine if the destination website is blocked? Or does it depend on the DNS resolution of the domain name to determine if the entire site is blocked because the same IP also hosts blocked content? If Umbrella can block the full URL, is the selective proxy feature required and what license level is required?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2022 06:47 PM - edited 04-22-2022 06:48 PM
Hi @Danielle Greene - the IP address doesn't come into play in this scenario (though we do sometimes block entire servers if the IP is flagged by our security classifiers).
In the case you are describing, there are two cases:
1) Using Cisco Umbrella DNS layer protection (DNS Essentials or DNS Advantage)
In this case, a domain or subdomain may have one or more categories associated with it. When DNS transactions happen, the entire URL is not revealed, only the fully qualified domain name. So Umbrella DNS protection makes decisions based on the category or categories of the domain. So hypothetically www.example.com/searchengine and www.example.com/video would share content category or categories in terms of DNS policy because the domain is the same. By comparison, if different subdomains are used like search.example.com and video.example.com, these destinations could be categorized independently of each other.
2) Using Cisco Umbrella Secure Internet Gateway (SIG Essentials or SIG Advantage)
Secure Internet Gateway includes a web proxy, and when HTTPS decryption is enabled in your policy it can look at the entire URL and make more granular decisions about the content categories. So compared to the previous example, URLs like www.example.com/searchengine and www.example.com/video could be categorized differently even when the domain and subdomain are identical.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2022 10:16 PM - edited 05-02-2022 04:50 AM
Cisco Umbrella offers security protection for both Home and Enterprise users through filtering DNS requests. The job of the DNS servers is to translate website URLs to their respective IP address. This makes accessing websites much more user-friendly without having to remember long IP addresses.
