Using Umbrella DNS Security
For DNS-layer security, you can configure a vEdge router to act as a DNS forwarder to Cisco Umbrella. Umbrella is a cloud-delivered service for provisioning secure and compliant guest Wi-Fi.
You configure Umbrella DNS security with a centralized data policy. You create the policy on a vSmart controller, and it is pushed to the vEdge routers. This policy ensures that the router enables DNS-level security for all end points, both controlled and uncontrolled, in your branch environment through Cisco Umbrella by transparently intercepting DNS queries and forwarding them to Umbrella DNS.
In order to apply the DNS redirect policies to Umbrella, you must first register the public IP addresses of the remote sites on Umbrella portal, under the Identities ► Network option.
CLI Configuration Procedure
The following high-level steps show the minimum policy components required to redirect DNS traffic to Cisco Umbrella:
- Create one or more lists of overlay network sites to which the centralized data policy is to be applied (in an apply-policy command):
vSmart(config)# policy
vSmart(config-policy)# lists site-list list-name
vSmart(config-lists)# site-id site-id
The list can contain as many site IDs as necessary. Include one site-id command for each site ID. For contiguous site IDs, you can specify a range of numbers separated with a dash (–). - Create lists of VPNs to which to apply the Umbrella DNS redirect policy (in a policy data-policy command):
vSmart(config)# policy lists
vSmart(config-lists)# vpn-list list-name
vSmart(config-lists)# vpn vpn-id - Create a data policy instance and associate it with a list of VPNs:
vSmart(config)# policy data-policy policy-name
vSmart(config-data-policy)# vpn-list list-name - Create one match–action pair sequence:
vSmart(config-vpn-list)# sequence number1
The match–action pairs are evaluated in order, by sequence number, starting with the lowest numbered pair and ending when the route matches the conditions in one of the pairs. Or if no match occurs, the default action is taken (either rejecting the route or accepting it as is). - Configure a match condition to process DNS requests to be forwarded to Umbrella:
vSmart(config-sequence1)# match dns request - Configure the DNS redirect action, specifying the IP address of the Umbrella DNS service, either 208.67.222.222 or 208.67.220.220:
vSmart(config-sequence1)# action accept redirect-dns ip-address - Create a second match–action pair sequence:
vSmart(config-vpn-list)# sequence number2 - Configure a match condition to process DNS responses from the Umbrella service:
vSmart(config-sequence2)# match dns response - Configure the redirect DNS host so that the DNS response can be correctly forwarded back to the service VPN:
vSmart(config-sequence2)# action accept redirect-dns host - Apply the policy to a list of sites in the overlay network:
vSmart(config)# apply-policy site-list list-name data-policy policy-name (from-service | from-tunnel)
Structural Components of Policy Configuration for Umbrella DNS
Below are the structural components required to configure DNS traffic redirection to Cisco Umbrella. You configure this policy on a vSmart controller. The components related to configuring umbrella DNS are explained in the sections below. For an explanation of the data policy components that are not specifically related to DNS traffic redirection, see Configuring Centralized Data Policy.
policy
lists
site-list list-name
site-id site-id
vpn-list list-name
vpn-id vpn-id
data-policy policy-name
vpn-list list-name
sequence number
match
dns (request | response)
action accept
count counter-name
log
redirect-dns (ip-address | host)
default-action
(accept | drop)
apply-policy
site-list list-name data-policy policy-name (from-service | from-tunnel)
Lists
A data policy for configuring a DNS forwarder to Cisco Umbrella uses the following types of lists to group related items. You configure these lists under the policy lists command hierarchy on vSmart controllers.
|
List Type |
Description |
Command |
|---|---|---|
|
Sites |
List of one or more site identifiers in the overlay network. To configure multiple sites in a single list, include multiple site-id options, specifying one site number in each option.You can specify a single site identifier (such as site-id 1) or a range of site identifiers (such as site-id 1-10). |
site-list list-name |
|
VPNs |
List of one or more VPNs in the overlay network. To configure multiple VPNs in a single list, include multiple vpn options, specifying one VPN number in each option. You can specify a single VPN identifier (such as vpn-id 1) or a range of VPN identifiers (such as vpn-id 1-10). |
vpn-list list-name |
In the vSmart controller configuration, you can create multiple iterations of each type of list. For example, it is common to create multiple site lists and multiple VPN lists so that you can apply data policy to different sites and different customer VPNs across the network.
When you create multiple iterations of a type of list (for example, when you create multiple VPN lists), you can include the same values or overlapping values in more than one of these list. You can do this either on purpose, to meet the design needs of your network, or you can do this accidentally, which might occur when you use ranges to specify values. (You can use ranges to specify data prefixes, site identifiers, and VPNs.) Here are two examples of lists that are configured with ranges and that contain overlapping values:
- vpn-list list-1 vpn 1-10
vpn-list list-2 vpn 6-8 - site-list list-1 site 1-10
site-list list-2 site 5-15
When you configure data policies that contain lists with overlapping values, or when you apply data policies, you must ensure that the lists included in the policies, or included when applying the policies, do not contain overlapping values. To do this, you must manually audit your configurations. The software performs no validation on the contents of lists, on the data policies themselves, or on how the policies are applied to ensure that there are no overlapping values.
If you configure or apply data policies that contain lists with overlapping values to the same site, one policy is applied and the others are ignored. Which policy is applied is a function of the internal behavior of Viptela software when it processes the configuration. This decision is not under user control, so the outcome is not predictable.
VPN Lists
Each data policy instance is associated with a VPN list. You configure VPN lists with the policy data-policy vpn-list command. The VPN list you specify must be one that you created with a policy lists vpn-list command.
Sequences
Within each VPN list, a data policy contains sequences of match–action pairs. The sequences are numbered to set the order in which data traffic is analyzed by the match–action pairs in the policy. You configure sequences with the policy data-policy vpn-list sequence command.
A sequence in a policy can contain one match command and one action command. Therefore, to configure a DNS forwarder to Cisco Umbrella, you must configure a pair of sequences, one for processing DNS requests to be forwarded to Cisco Umbrella and the second to process DNS responses from Cisco Umbrella.
Match Parameters
For a data policy for configuring a DNS forwarder to Cisco Umbrella, you must configure the following two match conditions. You configure the match parameters with the match command under the policy data-policy vpn-list sequence command hierarchy on vSmart controllers.
|
Description |
Command |
Value or Range |
|---|---|---|
| DNS requests to be forwarded to Cisco Umbrella |
dns request |
— |
| DNS responses from Cisco Umbrella |
dns response |
— |
Action Parameters
When data traffic matches the match parameters, the specified action is applied to it. You configure the action parameters with the action command under the policy data-policy vpn-list sequence command hierarchy on vSmart controllers.
For a centralized data policy that configure a vEdge router to act as a DNS forwarder to Cisco Umbrella, configure the following actions. You can configure other actions, as described in Configuring Centralized Data Policy.
|
Description |
Command |
Value or Range |
|---|---|---|
|
Redirect DNS requests to a Cisco Umbrella server. Specify this action for a dns request match condition. |
redirect-dns ip-address |
IP address of a Cisco Umbrella server, either 208.67.222.222 or 208.67.220.220. |
|
Process DNS responses from a Cisco Umbrella server. Specify this action for a dns response match condition. |
redirect-dns host |
Forward the responses to the requesting service VPN. |
Default Action
If a data packet being evaluated does not match any of the match conditions in a policy, a default action is applied. By default, the data packet is dropped. To modify this behavior, include the policy data-policy vpn-list default-action accept command.
Apply a Policy
For the centralized data policy to take effect so that the vEdge router can act as a DNS forwarder to Cisco Umbrella, you apply it to a list of sites in the overlay network. Because the policy configures the router to both forward packets to and receive packets from a Cisco Umbrella awecwe, specify the all option:
vSmart(config)# apply-policy site-list list-name data-policy policy-name (from-service | from-tunnel)
Example Configuration
The following example shows a data policy that enables Umbrella DNS security and that counts DNS traffic:
vSmart# show running-config policy
policy
data-policy umbrella_dns
vpn-list vpn_1
sequence 1
match
dns request
!
action accept
count umbrella_traffic_outbound
redirect-dns 208.67.220.220
!
!
!
sequence 2
match
dns response
!
action accept
count umbrella_traffic_inbound
redirect-dns host
!
!
lists
vpn-list vpn_1
vpn 1
!
site-list vedge1
site-id 500
!
!
!
vSmart# show running-config apply-policy
apply-policy
site-list vedge1 data-policy umbrella_dns from-service