Summary
Cisco Umbrella provides security via Domain Name System protocol. Almost all requests to a site or service uses a name (www.google.com) that we are familiar with. DNS simply translates that to an IP address so the packet can be routed to the appropriate server.
We have Umbrella DNS appliances on site that will intercept these DNS requests, analyze them, and "block" them by redirecting the client to https://block.opendns.com or return an IP address in the 146.112.x.x address range. If the computer happens to have the Umbrella Agent installed, you will see that the DNS server for that computer is itself (127.0.0.1) and the Agent determines what IP address to return to the application/web client.
Systems/Components Involved
- Cisco Umbrella Console
- Opendns1.nic.edu
- Opendns2.nic.edu
- Cisco Umbrella agent (generally installed on laptops)
Procedure
Checking without access to the Umbrella Console
For example, we block the domain pantsunderwearstore.com. If I try to go to a web server to that site (say, http://host.pantsunderwear.com), I will get the following displayed on my browser:
Note that this is using http protocol. If I were accessing using HTTPS, I may get a certificate error since OpenDNS (Cisco Umbrella) is trying to mimic the site, but the browser may see this as a security threat.
If I was using an application that was trying to access a site that was blocked, you may NOT get this feedback window that Cisco Umbrella is blocking the site. However, if you know the site that the application is trying to reach (like hosts.pantsunderwearstore.com), you can open a command prompt and see what IP address DNS is returning.
As you know from earlier in this document, 146.112.x.x address belong to OpenDNS/Cisco Umbrella. Just to verify, you can issue a ping -a <ip address> just to double check:
There, you can see that this IP address resolves to hit-block.opendns.com.
Checking Using the Umbrella Console
- Log into the Umbrella Console (using Single sign on)
- You will be presented with the SSO login page below. Enter your email address
- At the default Overview page, scroll down to the bottom and click on Total Blocks
- This will take you to Reporting->Core Reports->Activity Search but with a default filter of all Blocked requests
- You can just type in the host that you suspect was being blocked or just type in a wildcard entry. In this example, I was trying get to host.pantsunderwearstore.com, but we can just as easily search for *.pantsunderwearstore.com (if we suspect the traffic to be balanced among several hosts).
- When you press enter, it will add that domain to the filter and you should see all of the blocked DNS requests to that site. If it is a NIC domain joined computer, you should see the IP address of the computer that was trying to access the site as well as the user logged into the computer.
- In this cased, pantsunderwearstore.com is in our blocked list. However, most times, the site is generally blocked since people are accessing the site for the first time and it is a Newly Seen Domain. Regardless, this verifies the results from the ping test that the Umbrella is indeed blocking access to the site