Manually adding user information to DNS traffic for Cisco Umbrella

JonPenn · ‎12-14-2022

As I understand it, for Windows computers the AD connector (or maybe the script for the domain controllers?) monitors logins and associates an internal IP address with a user. The virtual appliance uses this IP->user mapping to add information about the user to the DNS query and forwards it to Umbrella.

I want to take over this entire process. I already know which user each query is associated with via some DoH trickery. I want custom code to become the DNS server for my network and to associate user information with each query before forwarding it to Umbrella. Is there a way I can perform a DNS query impersonating a particular user? For example, is there a custom EDNS option I can send to indicate user?

If it is not possible to tag DNS traffic directly, can I manipulate the associations from IP to user? I could route a private /16 to my custom DNS server, set up an association in that block for each of my ~25,000 users, then have my custom server use the appropriate source IP for each query when sending requests to the Umbrella virtual appliance.

JonPenn · ‎01-05-2023

It's based on EDNS option 20292. Here is an excerpt from some unfinished code that builds these DNS requests with all the custom data. This does not run on it's own, but it should give you a good idea of how it works. The function tests may also prove instructive as they contain examples of encoded EDNS data.

Here is some documentation that describes things, though it appears to use a slightly different version of the extension with 2-byte field headers.