cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISR-4K/1K: Umbrella Integration (OpenDNS) Step by Step Configuration

1923
Views
5
Helpful
1
Comments

 

Documentation

OpenDNS Documentation: https://docs.opendns.com/product/hardware/cisco-umbrella-isr4k/

Cisco Documentation: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-16/sec-data-umbrella-branch-xe-16-book.html

Prerequisite and code download links

Code Download Link: https://software.cisco.com/download/type.html?mdfid=284389362&catid=null

  • ISR-4K must be running Polaris (16.3) image or above
  • Security K9 license enabled on the router

Goal

To configure OpenDNS connector on the ISR such that it redirects all the DNS traffic except local domain traffic to the OpenDNS DNS resolvers.

Limitations/Restrictions

OpenDNS will not have any effect on the following if configured. Meaning traffic will not be filtered based on OpenDNS policies configured on the portal.

  • Loading a page using IP address
  • Using a proxy on the browser

Topology

topology.jpg

How OpenDNS works

  1. All DNS traffic is intercepted by the ISR; if it is a local domain query, then the DNS packet will not be changed and forwarded to OpenDNS DNS resolvers, otherwise the ISR will add ENDS records to the query and forward it to OpenDNS cloud.
  2. Based on the policies configured on the OpenDNS portal if the HTTP client is trying to browse to a page that is blocked or malicious, then OpenDNS sends their blocked page IP address as DNS response.
  3. HTTP client will send HTTP request to OpenDNS cloud IP address and OpenDNS provides the reason for blocking the content in the HTTP response.

Step by Step Configuration

Upgrade the router image to Polaris (16.3) or higher image

 

ISR-4321-OpenDNS#copy tftp: flash:
Address or name of remote host [10.10.20.2]?
Source filename [isr4300-universalk9.16.03.06.SPA.bin]?
Destination filename [isr4300-universalk9.16.03.06.SPA.bin]?
Accessing tftp://10.10.20.ftp://10.10.20.2/isr4300-universalk9.16.03.06.SPA.bin/isr4300-universalk9.16.03.06.SPA.bin.bin
Loading isr4300-universalk9.16.03.06.SPA.bin from 10.10.20.2 (via GigabitEthernet0/0/1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 509907627 bytes]
509907627 bytes copied in 414.230 secs (1230977 bytes/sec)

 

Upgrade rommom

Once you upgrade to 16.3 or higher we also need to upgrade the rommon. Pls. follow the steps below. Download the isr4200_4300_rommon_167_3r_SPA.pkg image from here: Cisco 4321 Integrated Services Router - Cisco

and upload it to flash. Then upgrade using the "upgrade" command.

ISR-4321-OpenDNS#copy tftp flash:

Address or name of remote host []? 10.10.20.2

Source filename []? isr4200_4300_rommon_167_3r_SPA.pkg

Destination filename [isr4200_4300_rommon_167_3r_SPA.pkg]?

Accessing tftp://10.10.20.2/isr4200_4300_rommon_167_3r_SPA.pkg...

Loading isr4200_4300_rommon_167_3r_SPA.pkg from 10.10.20.2 (via GigabitEthernet0/0/1): !!!!!!!!!!!

[OK - 2646988 bytes]

 

CWS-Tunnel-RTR#upgrade rom-monitor filename bootflash:isr4200_4300_rommon_167_3r_SPA.pkg R0

Chassis model ISR4321/K9 has a single rom-monitor.

Upgrade rom-monitor

Target copying rom-monitor image file

selected : 0

Booted : 0

Reset Reason: 0

Info: Upgrading entire flash from the rommon package

4259840+0 records in

4259840+0 records out

262144+0 records in

262144+0 records out

655360+0 records in

655360+0 records out

4194304+0 records in

4194304+0 records out

File  is a FIPS ROMMON image

FIPS-140-3 Load Test on  has PASSED.

Authenticity of the image has been verified.

Switching to ROM 1

8192+0 records in

8192+0 records out

Upgrade image MD5 signature is b702a0a59a46a20a4924f9b17b8f0887

4259840+0 records in

4259840+0 records out

4194304+0 records in

4194304+0 records out

4194304+0 records in

4194304+0 records out

262144+0 records in

262144+0 records out

Upgrade image MD5 signature verification is b702a0a59a46a20a4924f9b17b8f0887

Switching back to ROM 0

ROMMON upgrade complete.

To make the new ROMMON permanent, you must restart the RP.

Once the upgrade is done reload the router.  Make sure to issue "show platform" and verify the rommon upgrade was successful. The firmware version should show 16.7(3r).

Import CA certificate to the trust pool

Communication for device registration to the OpenDNS server is via HTTPs. This requires a root certificate to be installed on the router.

ISR-4321-OpenDNS(config)#crypto pki trustpool import terminal

% Enter PEM-formatted CA certificate.

MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD

QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT

MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg

U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83

nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd

KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f

/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX

kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0

/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C

AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY

aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6

Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1

oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD

QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v

d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh

xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB

CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl

5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA

8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC

2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit

c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0

j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz

% End with a blank line or "quit" on a line by itself.

quit

% PEM files import succeeded.

Get the token to register the device

Log into the OpenDNS portal https://login.opendns.com/?return_to=https://dashboard2.opendns.com/https://login.opendns.com/?return_to=https://dashboard2.opendns.com/

Then follow the screen shot to get the "Token" or if this is brand new setup generate a fresh "Token".

token.jpg

 

Configure local domains (optional)

DNS queries destined to local domain will remain untouched and will not be redirected to OpenDNS cloud.

parameter-map type regex dns_bypass

pattern www.cisco.com

pattern .*eisg.cisco.*

Configure the token

Configure the token that you got from the OpenDNS portal and add the optional local domain configured in the above step.

ISR-4321-OpenDNS(config)#parameter-map type opendns global

ISR-4321-OpenDNS(config-profile)#token 0F322FEC26991C2B562D3C7FF844E0001C70E7

ISR-4321-OpenDNS(config-profile)#local-domain dns_bypass

Enable OpenDNS out

Enable OpenDNS out on the interface facing the internet

ISR-4321-OpenDNS(config-if)#int g0/0/0

ISR-4321-OpenDNS(config-if)#opendns out  ===> command has been changed to "umbrella out"

Enable OpenDNS in

Enable OpenDNS in on all the interfaces that are interested in redirecting DNS traffic to the OpenDNS cloud.  Each interface should include a "tag" so you can configure policies based on the "tag" on the OpenDNS portal. In this case we have used the "tag" as "inside-network"

ISR-4321-OpenDNS(config-if)#int g0/0/1

ISR-4321-OpenDNS(config-if)#opendns in inside-network ===> command has been changed to "umbrella in"

Final Relevant Config

parameter-map type regex dns_bypass

pattern www.cisco.com

pattern .*eisg.cisco.*

!

parameter-map type opendns global

token 0F32C32FEC26991C2B562D3C7FF844E0001C70E7

local-domain dns_bypass

!

interface GigabitEthernet0/0/0

ip address dhcp

ip nat outside

umbrella out 

!

interface GigabitEthernet0/0/1

ip address 10.10.20.1 255.255.255.0

ip nat inside

umbrella in inside-network

Show commands

show opendns dnscrypt

show opendns config

show opendns deviceid

Debugs

debug opendns device-registration

The below debugs clearly indicate there is a problem with the certificate.

*Apr  6 02:58:28.938: OPENDNS-DEV-REG:opendns_dev_reg_process_start

*Apr  6 02:58:28.938: OPENDNS-DEV-REG:Found channel

*Apr  6 02:58:28.938: OPENDNS-DEV-REG:dev reg to be sent for interface :GigabitEthernet0/0/1 status :REQ QUEUED

*Apr  6 02:58:28.938: OPENDNS-DEV-REG: Dev reg interface details interface name: GigabitEthernet0/0/1 tag: inside-network, status :1

*Apr  6 02:58:28.938: OPENDNS-DEV-REG:Found channel

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:DNS match found for api.opendns.com is 67.215.92.210

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:channel connect : resolved OOB server ip:67.215.92.210

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:channel: IDB name GigabitEthernet0/0/1:

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:channel: Connecting to 67.215.92.210(443) from src 0.0.0.0: socket 6: status -1: errno 265 channel status0

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:channel: Error in socket_connect: status -1: sock_fd 6

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:Cleaning up the channel

*Apr  6 02:58:28.940: OPENDNS-DEV-REG: Could not connect device reg channel

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:cleanup and reconnect

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:Cleaning up the channel

Please import the certificate and make sure the cert the is still there. If not import it to trustpool again.

ISR-4321-OpenDNS#sh cry pki trustpool

ISR-4321-OpenDNS#sh cry pki trustpool

CA Certificate

  Status: Available

  Certificate Serial Number (hex): 01FDA3EB6ECA75C888438B724BCFBC91

  Certificate Usage: Signature

  Issuer:

    cn=DigiCert Global Root CA

    ou=www.digicert.com

    o=DigiCert Inc

    c=US

  Subject:

    cn=DigiCert SHA2 Secure Server CA

    o=DigiCert Inc

    c=US

  CRL Distribution Points:

    http://crl3.digicert.com/DigiCertGlobalRootCA.crl

    http://crl4.digicert.com/DigiCertGlobalRootCA.crl

  Validity Date:

    start date: 12:00:00 UTC Mar 8 2013

    end   date: 12:00:00 UTC Mar 8 2023

  Associated Trustpoints: Trustpool

  Trustpool: Downloaded

debug opendns config

debug opendns split-dns

Comments
Beginner

New Stuff to me, Thanks

 

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers