Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2022
Views
0
Helpful
4
Replies

Umbrella setup with VA without AD integration

Go to solution
1netconsulting
Level 1
Level 1

‎10-19-2020 05:39 PM

Hello,

I am looking for option to deploy Umbrella  in AD environment (but without AD integration and roaming clients)  and have ability to track end system IP addresses.

 

Will this scenario work:

Deploy Umbrella VA and point end systems (including servers) DNS  to VA. For domain controllers specify forwarders pointing to Umbrella for external DNS queries.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
1netconsulting
Level 1
Level 1

‎10-24-2020 08:31 PM

OK, I configured it as planned:

1. AD controllers, which are running DNS, are pointing to VAs via forwarders.

2. All DHCP clients and other servers are pointing to VAs.

VAs are set to point to AD controllers for local DNS zones resolution.

As a result, I have ability to identify sources (IP addresses) of the DNS requests for Internet destinations.

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎10-19-2020 11:47 PM

Hi @1netconsulting 

If your clients continue to point to the internal DNS server, which then sends the external DNS queries to Umbrella VA, the VA will see only the internal DNS server(s) as the source IP address, not the clients. The Umbrella VA needs to be the primary DNS server, forwarding internal DNS queries to the internal DNS servers.

 

The only exception to that (that I am aware of) is Infoblox, which can preserve the original IP address before forwarding to the Umbrella VA.

 

HTH

0 Helpful

Go to solution
1netconsulting
Level 1
Level 1
In response to Rob Ingram

‎10-20-2020 08:45 AM

This is not the scenario I am asking about:
Internal devises will be pointing to VA for DNS resolution.
VA is configured to point to internal DNS servers (which are in my case AD controllers) Only for internal domain resolution. All external dns requests from VA are going to Umbrella servers.
The difference in this Suggested scenario compared to “standard” is that there is no AD connectors/sync script configured

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-20-2020 09:22 AM

Ok I miss understood this:- "For domain controllers specify forwarders pointing to Umbrella for external DNS queries." - the Domain Controllers should never receive external DNS queries if the VA is the primary DNS server. Umbrella doesn't recommend pointing the DC's DNS to the VAs as that can create a loop in DNS.

 

No you don't need to run the script or configure AD connectors, you can just use the VA which will encrypt and forward the DNS request including the learnt client IP address to the cloud or if local forward to the internal DNS server.

0 Helpful

Go to solution
1netconsulting
Level 1
Level 1

‎10-24-2020 08:31 PM

OK, I configured it as planned:

1. AD controllers, which are running DNS, are pointing to VAs via forwarders.

2. All DHCP clients and other servers are pointing to VAs.

VAs are set to point to AD controllers for local DNS zones resolution.

As a result, I have ability to identify sources (IP addresses) of the DNS requests for Internet destinations.

 

0 Helpful
Customers Also Viewed These Support Documents