Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
231
Views
0
Helpful
2
Replies

Could Umbrella DNS Module Cause Initial Page Load Latency?

jaismith
Level 1
Level 1

‎04-17-2025 10:30 AM

We’re troubleshooting some initial page load latency (some sites take 30 seconds or more to completely load) and trying to isolate whether Secure Client and Cisco Umbrella’s module (DNS, not the SWG component) could be a contributing factor. Specifically, I’m curious about how DNS behaves when the Umbrella roaming client is enabled.

Some observations and questions:

  • Initial page loads are the slowest, then subsequent loads appear to be normal.

  • Packet captures on our internal DNS servers don’t show the initial DNS requests, even though clients are configured to use the internal DNS servers as primary.

  • This makes me suspect that DNS queries might be encrypted and tunneled directly from the client to Umbrella (DoH or some proxy mechanism?), bypassing our internal servers entirely.

  • Has anyone else experienced similar behavior?

  • Could this be causing initial page load latency, especially on first-time DNS lookups?

  • If you’ve resolved this kind of latency, what was the root cause and what worked for you?

Appreciate any insights from folks who’ve deployed Umbrella in a similar setup.

Labels:
0 Helpful
2 Replies 2

adamwin
Cisco Employee
Cisco Employee

‎04-17-2025 03:44 PM

You said you are using the Umbrella DNS module, but you are "configured to use the internal DNS servers as primary"?

When the client is active, it will encrypt DNS and tunnel it directly to Umbrella's resolvers. For internal domains, you can put them on the Internal Domains list and those domains (or zones) will go to your internal DNS server. The DNS Module utilizes a network driver to intercept DNS, so it is going to mostly ignore whatever you configure in the DHCP options or static network adapter configuration to specify your internal DNS server as first.

The other thing to keep in mind, Windows doesn't have a concept of 'first' or 'second' DNS resolvers. When you configure a primary and secondary DNS server, Windows will query both of them and use whichever replies first. The behavior of using DNS Server A and then DNS B only if A fails to respond went away a few years ago. 

The other option (if you want all DNS to first go to your internal DNS servers), then you need to use Trusted Network Detection to have the DNS Module back-off while on-network. 

In a typical deployment, no added latency is expected. I suspect something is misbehaving due to your specific configuration. If you have support, I recommend opening a ticket. 

0 Helpful

jaismith
Level 1
Level 1
In response to adamwin

‎04-18-2025 05:30 AM

We have our internal domains specified in the "Domain Management" settings on Umbrella. My concern with configuring the module to "back off" when connected to the trusted network is that the machine would not pass their user identity to apply Umbrella DNS policy. Am I correct in saying that? We have our internal DNS configured to forward traffic to Umbrella, but they would not be aware of the user information. Also, do you have any recommendations for best practices regarding the configuration? We have opened tickets with Umbrella in the past and they see no issues with our configuration and policy but we may have missed something.

0 Helpful
Customers Also Viewed These Support Documents