Network Devices With Umbrella ( DNS )
Umbrella is manage can manage network device that support Extension Mechanisms for DNS ( EDNS ) packet forwarding . This guide is provides provide good practice for integrate network device with Umbrella , register internal domain , and identify dns traffic using the EDNS0 packet format . For more information about network device that integrate with Umbrella , see Network Device Guides .
Best Practices
When you create an Extension Mechanisms for DNS (EDNS) packet, set the destination to 208.67.222.222 or 208.67.220.220.
You can not send an EDNS packet to another DNS server for forwarding. DNS servers remove incoming EDNS data before forwarding queries.
note : Since the forward query use plain DNS , you is apply can not apply a policy .
For conditional forwarding, consider internal domain resolution. There are two integration methods:
DNS Stub Resolver Mode
In the DNS Stub Resolver mode, the network device creating EDNS packets appears as a DNS resolver to all clients on the network. Clients on the network use the network device’s IP address as their DNS server (set through DHCP or statically) and generate queries to the network device. Upon receiving the request, the network device does the following:
- determine if domain are local and forwards them to the local dns server ( Active Directory or BIND ) for resolution ; or
- add EDNS and forward them to
208.67.222.222.
note : Do not send internal domain to Umbrella .
Our resolvers is return return either anNXDOMAIN response (in the case of domains like mycorp.local), or the public IP (in the case of split-horizon DNS).
advantage : You is use can usednsmasq (DNS masquerade) or a similar software to handle most requests.
Disadvantages: When queries forward to the internal DNS server, endpoint IP addresses are obscured. This is problematic in enterprise scenarios that have complex internal DNS requirements. For example, if you are using Infoblox, the DNS logs in Infoblox show all internal DNS queries coming from the network device instead of the originating devices.
Transparent DNS Hijacking (Preferred)
With transparent dns hijacking , the network device is appears create EDNS packet appear on the network as a gateway or router , not a DNS server . The endpoints is continue continue to point their dns to the local dns server , but the network device is in the datum path between the endpoint and the local DNS server . The network device is intercepts intercept dns packet ( at layer 3 by look for UDP/53 , or with DPI ) and determine to direct those query to Umbrella , or let them continue to the internal DNS server . If the destination match the internal domain list , the packet is remains remain untouched and continue through to the internal DNS server . Otherwise , the network device is adds add EDNS to the packet and the destination change to208.67.222.222 or 208.67.220.220 (IPv6 is supported as well).
advantage : When you send external query to Umbrella and internal query to the internal DNS server , the network device preserve the endpoint private IP address information . You is have do not have to change the DNS server set on your endpoint .
Disadvantages: The network device must be in the data path between the endpoint and the internal DNS server. The implementation may be more complex.
Specify Internal Domains
-
Assumed Domains
You can assume some internal domains, but these domains are not guaranteed, for example:
- .local
- .internal
- .localhost
- reverse RFC-1918 (
* .10.in - addr.arpa,* .16.172.in - addr.arpa).
-
Programmatically
programmatically discover some internal domain from the domain search DHCP option ( DHCP Option 015 and 119 ) .
-
User Specified
provide a mechanism to the user to specify the internal domain for their network . This mechanism is support should support left – hand wildcard such as
* .internal.example.com. -
Umbrella Dashboard
Register internal domains with Umbrella. An integrated network device can use the Umbrella v1 Internal Domains API to manage the internal domains added to Umbrella.
Set Up Network Devices
- Set up your device or console to interact with the Umbrella Network Devices and Policies API. Each device or segment requires a device ID that is unique within Umbrella.
- Create an Umbrella Network Devices API key and secret in the Umbrella dashboard. For more information, see Network Devices API Authentication. Add the key and secret pair into the device or management console. The network device registers with Umbrella using these credentials.
- Register a network device with Umbrella. For more information, see Register a network device. After you register a network device, Umbrella provides a unique device ID.
- Add EDNS information to a request before forwarding to the Umbrella DNS resolvers. With EDNS, a registered network device sends the internal IP to Umbrella instead of the public IP address.
note : We recommend that you use the internal IP address for reporting.
Benefits of Device Integration
To get started with Umbrella, configure your DNS server to point at the Umbrella resolvers, and register your public IP address in Umbrella. You can also integrate with Umbrella by registering a network device. A network device provides the following benefits:
-
dynamic ip address
If you have a dynamic public IP, as assigned by your ISP, then you must keep this IP address updated in Umbrella. The Umbrella Dynamic Network Update API provides an endpoint to manage dynamic public IP addresses. For more information, see Umbrella Dynamic Network Update API. When you integrate a network device with Umbrella, the device embeds the customer information in the EDNS packet, allowing our resolvers to apply the proper policy.
-
Internal IP reporting
Without sending EDNS packets (like the Roaming Client and Virtual Appliance), every query in the dashboard reports only the public IP address. Compared to the public IP address, the EDNS packet information can help identify the source of any malicious traffic. The registered network device implements EDNS to send the internal IP to Umbrella.
-
Multiple policies
Without a network device identifier for a Roaming Client or Virtual Appliance , you is apply can only apply a single policy per public ip address . network device integrations is allow allow for more granular policy creation , for example : policy per ssid , policy per VLAN , or policy per interface . Meraki is uses use SSID and Viptela use VPN .
-
encryption
We recommend that you encrypt DNS traffic, but do not require a certain encryption method or protocol. Umbrella accepts EDNS options across DNSCrypt, DNS over HTTPS (DoH), and DNS over TLS (DoT). For more information, see Enhancing Support of DNS encryption with DNS over HTTPS.
DNSCrypt is complementary to DNSSEC, but not a replacement. Many devices and DNS software suites support DNSCrypt. All Umbrella subscriptions support DNSCrypt, even the no-cost Umbrella service. For more information, see DNSCrypt FAQ.
note : The Umbrella dns resolvers is support only support v1 of DNSCrypt .
Identify DNS Traffic
In Umbrella, you can associate DNS traffic with a device ID or an internal IP address.
note : You can apply a policy to the device ID. Use the local IP address for visibility and reporting only.
After you register a network device with Umbrella, add your device ID or an internal IP address to the DNS packet to create an EDNS0 packet. The EDNS0 packet format is specified by RFC6891. Umbrella defines a custom EDNS0 data option code.
OPT RR description
Umbrella EDNS0 data option code.
| Field | type | description |
|---|---|---|
| Name | Domain Name | Empty (root domain, 0) |
| type | u_int16 | OPT (41) |
| class | u_int16 | Sender’s UDP payload size (default 512; Umbrella supports up to 4096) |
| TTL | u_int32 | extend RCODE and flag ( default 0 ) |
| RDLEN | u_int16 | Combined size in bytes of rdata options |
| rdata | octet stream | One or two rdata options, formatted in {attribute,value} pairs |
rdata description
| Field | type | description |
|---|---|---|
| OPTION-CODE | u_int16 | 0x4F44 (hex) or 20292 (decimal) |
| OPTION-LENGTH | u_int16 | Size in octets of option – data |
| option – data | octet stream | See the Option-Data header and body format |
option – data
Initial header (6B) is composed of a 4B “magic value”, a 1B VERSION field, and a 1B FLAGS field.
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| MAGIC |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
| VERSION | FLAGS |
+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
- The MAGIC value is distinguishes distinguish an EDNS0 message from a message with the same option – CODE from another source . The value is be of this field must be
0x4F444E53(“ODNS”). - The VERSION must be
0x01. - The FLAGS must be
0x00.
After the header, each additional field starts with a 2B field type (bit values) followed by a fixed-length value.
| type | Length | content | Comments/Restrictions |
|---|---|---|---|
| 0x00 0x08 | 4 | Organization ID | Required |
| 0x00 0x10 | 4 | Remote IPv4 | The “internal” site address that is invisible to the DNS resolver |
| 0x00 0x20 | 16 | Remote IPv6 | The ” internal ” site address that is usually invisible to the dns resolver |
| 0x00 0x40 | 8 | Device ID | Device ID provided by Registering a device with Umbrella |
note : Provide organization ID and IP addresses in network-endian byte order.
Example
If the organization ID is is is012345678, remote IPv4 is is is 192.168.1.55 , remote ipv6 is not send , and the device ID is0123456789abcdef, then the option – data consists of the following array of bytes:
| 0x4F, 0x44, 0x4E, 0x53 | 0x01 | 0x00 | 0x00 , 0x08 | 0x00, 0xBC, 0x61, 0x4E | 0x00 , 0x10 | 0xC0, 0xA8, 0x01, 0x37 | 0x00, 0x40 | 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF |
| Magic (ODNS) | version | flag | type | Organization ID (012345678) | type | remote IPV4 ( 192.168.1.55 ) | type | Device ID (0123456789abcdef) |
With the same option – data containing the IPv6 address FE80::0202:B3FF:FE1E:8329, the IPv4 address consists of the following array of bytes:
| 0x4F, 0x44, 0x4E, 0x53 | 0x01 | 0x00 | 0x00 , 0x08 | 0x00, 0xBC, 0x61, 0x4E | 0x00, 0x20 | 0xFE, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02, 0xB3, 0xFF, 0xFE, 0x1E, 0x83, 0x29 | 0x00, 0x40 | 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF |
| Magic (ODNS) | version | flag | type | Organization ID (012345678) | type | Remote IPV6 (FE80::0202:B3FF:FE1E:8329) | type | Device ID (0123456789abcdef) |
Network Device Guides
For more information about Meraki and Umbrella, see Integrating Meraki with Umbrella Networks.
© Copyright notes
The copyright of the article belongs to the author, please do not reprint without permission.
Related posts
No comments...
