Showing results for 
Search instead for 
Did you mean: 

ISR-4K/1K: Umbrella Integration (OpenDNS) Step by Step Configuration




OpenDNS Documentation:

Cisco Documentation:

Prerequisite and code download links

Code Download Link:

  • ISR-4K must be running Polaris (16.3) image or above
  • Security K9 license enabled on the router


To configure OpenDNS connector on the ISR such that it redirects all the DNS traffic except local domain traffic to the OpenDNS DNS resolvers.


OpenDNS will not have any effect on the following if configured. Meaning traffic will not be filtered based on OpenDNS policies configured on the portal.

  • Loading a page using IP address
  • Using a proxy on the browser



How OpenDNS works

  1. All DNS traffic is intercepted by the ISR; if it is a local domain query, then the DNS packet will not be changed and forwarded to OpenDNS DNS resolvers, otherwise the ISR will add ENDS records to the query and forward it to OpenDNS cloud.
  2. Based on the policies configured on the OpenDNS portal if the HTTP client is trying to browse to a page that is blocked or malicious, then OpenDNS sends their blocked page IP address as DNS response.
  3. HTTP client will send HTTP request to OpenDNS cloud IP address and OpenDNS provides the reason for blocking the content in the HTTP response.

Step by Step Configuration

Upgrade the router image to Polaris (16.3) or higher image


ISR-4321-OpenDNS#copy tftp: flash:
Address or name of remote host []?
Source filename [isr4300-universalk9.16.03.06.SPA.bin]?
Destination filename [isr4300-universalk9.16.03.06.SPA.bin]?
Accessing tftp://10.10.20.
Loading isr4300-universalk9.16.03.06.SPA.bin from (via GigabitEthernet0/0/1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 509907627 bytes]
509907627 bytes copied in 414.230 secs (1230977 bytes/sec)


Upgrade rommom

Once you upgrade to 16.3 or higher we also need to upgrade the rommon. Pls. follow the steps below. Download the isr4200_4300_rommon_167_3r_SPA.pkg image from here: Cisco 4321 Integrated Services Router - Cisco

and upload it to flash. Then upgrade using the "upgrade" command.

ISR-4321-OpenDNS#copy tftp flash:

Address or name of remote host []?

Source filename []? isr4200_4300_rommon_167_3r_SPA.pkg

Destination filename [isr4200_4300_rommon_167_3r_SPA.pkg]?

Accessing tftp://

Loading isr4200_4300_rommon_167_3r_SPA.pkg from (via GigabitEthernet0/0/1): !!!!!!!!!!!

[OK - 2646988 bytes]


CWS-Tunnel-RTR#upgrade rom-monitor filename bootflash:isr4200_4300_rommon_167_3r_SPA.pkg R0

Chassis model ISR4321/K9 has a single rom-monitor.

Upgrade rom-monitor

Target copying rom-monitor image file

selected : 0

Booted : 0

Reset Reason: 0

Info: Upgrading entire flash from the rommon package

4259840+0 records in

4259840+0 records out

262144+0 records in

262144+0 records out

655360+0 records in

655360+0 records out

4194304+0 records in

4194304+0 records out

File  is a FIPS ROMMON image

FIPS-140-3 Load Test on  has PASSED.

Authenticity of the image has been verified.

Switching to ROM 1

8192+0 records in

8192+0 records out

Upgrade image MD5 signature is b702a0a59a46a20a4924f9b17b8f0887

4259840+0 records in

4259840+0 records out

4194304+0 records in

4194304+0 records out

4194304+0 records in

4194304+0 records out

262144+0 records in

262144+0 records out

Upgrade image MD5 signature verification is b702a0a59a46a20a4924f9b17b8f0887

Switching back to ROM 0

ROMMON upgrade complete.

To make the new ROMMON permanent, you must restart the RP.

Once the upgrade is done reload the router.  Make sure to issue "show platform" and verify the rommon upgrade was successful. The firmware version should show 16.7(3r).

Import CA certificate to the trust pool

Communication for device registration to the OpenDNS server is via HTTPs. This requires a root certificate to be installed on the router.

ISR-4321-OpenDNS(config)#crypto pki trustpool import terminal

% Enter PEM-formatted CA certificate.


























% End with a blank line or "quit" on a line by itself.


% PEM files import succeeded.

Get the token to register the device

Log into the OpenDNS portal

Then follow the screen shot to get the "Token" or if this is brand new setup generate a fresh "Token".



Configure local domains (optional)

DNS queries destined to local domain will remain untouched and will not be redirected to OpenDNS cloud.

parameter-map type regex dns_bypass


pattern .**

Configure the token

Configure the token that you got from the OpenDNS portal and add the optional local domain configured in the above step.

ISR-4321-OpenDNS(config)#parameter-map type opendns global

ISR-4321-OpenDNS(config-profile)#token 0F322FEC26991C2B562D3C7FF844E0001C70E7

ISR-4321-OpenDNS(config-profile)#local-domain dns_bypass

Enable OpenDNS out

Enable OpenDNS out on the interface facing the internet

ISR-4321-OpenDNS(config-if)#int g0/0/0

ISR-4321-OpenDNS(config-if)#opendns out  ===> command has been changed to "umbrella out"

Enable OpenDNS in

Enable OpenDNS in on all the interfaces that are interested in redirecting DNS traffic to the OpenDNS cloud.  Each interface should include a "tag" so you can configure policies based on the "tag" on the OpenDNS portal. In this case we have used the "tag" as "inside-network"

ISR-4321-OpenDNS(config-if)#int g0/0/1

ISR-4321-OpenDNS(config-if)#opendns in inside-network ===> command has been changed to "umbrella in"

Final Relevant Config

parameter-map type regex dns_bypass


pattern .**


parameter-map type opendns global

token 0F32C32FEC26991C2B562D3C7FF844E0001C70E7

local-domain dns_bypass


interface GigabitEthernet0/0/0

ip address dhcp

ip nat outside

umbrella out 


interface GigabitEthernet0/0/1

ip address

ip nat inside

umbrella in inside-network

Show commands

show opendns dnscrypt

show opendns config

show opendns deviceid


debug opendns device-registration

The below debugs clearly indicate there is a problem with the certificate.

*Apr  6 02:58:28.938: OPENDNS-DEV-REG:opendns_dev_reg_process_start

*Apr  6 02:58:28.938: OPENDNS-DEV-REG:Found channel

*Apr  6 02:58:28.938: OPENDNS-DEV-REG:dev reg to be sent for interface :GigabitEthernet0/0/1 status :REQ QUEUED

*Apr  6 02:58:28.938: OPENDNS-DEV-REG: Dev reg interface details interface name: GigabitEthernet0/0/1 tag: inside-network, status :1

*Apr  6 02:58:28.938: OPENDNS-DEV-REG:Found channel

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:DNS match found for is

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:channel connect : resolved OOB server ip:

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:channel: IDB name GigabitEthernet0/0/1:

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:channel: Connecting to from src socket 6: status -1: errno 265 channel status0

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:channel: Error in socket_connect: status -1: sock_fd 6

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:Cleaning up the channel

*Apr  6 02:58:28.940: OPENDNS-DEV-REG: Could not connect device reg channel

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:cleanup and reconnect

*Apr  6 02:58:28.940: OPENDNS-DEV-REG:Cleaning up the channel

Please import the certificate and make sure the cert the is still there. If not import it to trustpool again.

ISR-4321-OpenDNS#sh cry pki trustpool

ISR-4321-OpenDNS#sh cry pki trustpool

CA Certificate

  Status: Available

  Certificate Serial Number (hex): 01FDA3EB6ECA75C888438B724BCFBC91

  Certificate Usage: Signature


    cn=DigiCert Global Root CA

    o=DigiCert Inc



    cn=DigiCert SHA2 Secure Server CA

    o=DigiCert Inc


  CRL Distribution Points:

  Validity Date:

    start date: 12:00:00 UTC Mar 8 2013

    end   date: 12:00:00 UTC Mar 8 2023

  Associated Trustpoints: Trustpool

  Trustpool: Downloaded

debug opendns config

debug opendns split-dns



New Stuff to me, Thanks



Hi Kureli,


Really useful post. Can i check what was the DNS server given to the client via dhcp was it pointing to the gateway or some internal DNS server or umbrella.