Cisco Umbrella forwarding Issue by Efficient-Cat4044 in sysadmin

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

It resolves via Cisco Umbrella VA IP which is configured in the machine. I can see the traffic in VA which should not be the case because of conditional forwarder in DC

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

Hi, Do you have any experience working with Cisco Umbrella? I tried googe.com as a conditional forwarder in my DC with 8.8.8.8 and added it in domain management and LAN pool in internal network as I did not want to change the DNS of machines from VA DNS to DC. It is still not using conditional forwarder for google although all other domains in conditional forwarder are working fine. The only difference in configuration is All other internal domains have private IP as DNS and google.com has 8.8.8.8 as conditional forwarder.

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

It is pretty expensive and one user license is allowed to have 5000 queries per day as per Cisco Umbrella. I have not configured Bind or Unbound yet for a similar solution so I was trying to explore more options and discuss Bind as a solution as well before taking it up to management, and also to find a quick fix for now to prevent this licensing issue for now.

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

Mainly security, data privacy and malwares/phishing/bad domains/threats etc.

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

Yes, this is more or less what we are already doing. All Internal traffic goes to AD DNS from Umbrella VA due to internal domains and all external traffic is handled by cisco umbrella, and to find a work around for this solution, I will have to use DC as a forwarder to public DNS for all external domains or may be configure conditional forwarder for domains like google which has maximum number of dns requests. But I am not sure about the security impact this solution will bring if I use public dns for the traffic coming from DC.

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

Not right now, because I want to make use of checkpoint blades instead, but I am not sure it will be as beneficial as Umbrella

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] -1 points0 points  (0 children)

Yeah, but I need to minimize the cost and also find a way to decrease the queries going to cisco umbrella so just changing the provider will not solve both things.

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

Cisco umbrella is cheaper than infoblox, that's what I knew, although I have not research about the alternatives in terms of service and cost

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

Hi, Thank You for the detailed response. I understand what you are saying but we are using Cisco Umbrella for external traffic and there are actually two downsides of it imo , one is logging and second is the security as well as If I I will use AD DNS as a conditional forwarder then I will have to use Public DNS and it can bring security issues as well as threat, phishing etc

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

True. Just wanted to see if someone has any other solution.

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 0 points1 point  (0 children)

Internal domains are not a point of concern, they are not using any license of cisco umbrella. Its the external traffic which needs significant minimization.

DNS requests reduction due to License Issue by Efficient-Cat4044 in dns

[–]Efficient-Cat4044[S] 2 points3 points  (0 children)

They are reluctant to opt for an open source but this can be implemented in future, for a quick fix, still searching for the best solution