Troubleshoot Common DNS Request Types Available in the Umbrella Reports

Available Languages

Download Options

  • PDF     (8.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (84.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (69.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 26, 2025
Document ID:224682

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction 

    This document describes the DNS Request Types that can be collected and listed in a report. Each record type has its own purpose in the DNS infrastructure. When thinking DNS, the first record type that comes to mind is the A Record which is the IPv4 IP address belonging to the hostname of the domain. 

    note-icon

    Note: This list is by no means exhaustive.  A more complete list, including the relevant RFC for each record type can be found here: https://en.wikipedia.org/wiki/List_of_DNS_record_types

    With regards to blocked security domains , please note that Cisco Umbrella blocks A, AAAA, ANY, CNAME, PTR, SRV, PRIVATE, SPF/DNS, NULL, SIG, HTTPS (Type65), and TXT records, so queries for other record types (MX, SOA, and NS) are allowed, even though the category is blocked.  However, requests for MX records of domains that have been categorized as "DNS Tunneling VPN" are refused.

    "Allowed" Security Categories in Umbrella Reports

    Cisco Umbrella is committed to DNS security. DNS record types observed to be capable of facilitating malicious connections (for example, A/AAAA) or tunneling traffic (TXT, SRF, etc) or allowing bypass of standard DNS (Type65, etc) are enforced. Some record types that are reference records like MX, SOA, NS are permitted even if tagged in a security category. If you believe a record type that is not blocked should be blocked, contact us at umbrella-support@cisco.com to request. We monitor for new threat types to ensure that all records capable of delivering a malicious connection are enforced - without blocking request types that hinder informational requests on the domain's ownership or mail servers. 

    To validate if an "Allowed" Malware request is due to an alternate record type request, open your Activity search and add the DNS record type column. This is surfaced transparently to reporting - and does not indicate a failure to protect or a coverage gap.

    For content filtering categories, types other than AAAA, A records are not blocked. Destination lists also do not block all record types, NS for example is not blocked. 

    To view the record type of a request in the Activity Search, toggle the "DNS Types" column.

    If a domain is "blocked", queries for address record types A and AAAA return IP addresses that belong to Umbrella block pages.  Queries for DNS record types ANY, CNAME, PTR, SRV, SIG, or TXT return "REFUSED".  (Note:  when querying for domains classified as Dynamic DNS, address record types A and AAAA are blocked, but queries for other DNS record types do not return "REFUSED".) The full list of types we return "REFUSED" on are: 3-5,7-10, 12, 16, 30, 33, 38, 64, 65, 99, 245, 253, 255, 65280-65534.

    Exceptions:

    • DNS Tunneling domains "block" all record types.
    • Dynamic DNS category we only block A/AAAA records

    DNS Lookup Types & Functions

    DNS Lookup Type

    Description

    Function
     A  IPv4 address record

     Returns a 32-bit IP address, which typically maps a domain’s hostname to an IP address, but also used for DNSBLs  and storing subnet masks
     AAAA  IPv6 address record

     Returns a 128-bit IP address that maps a domain’s hostname to an IP address
     ANY  All cached records

     If the domain is not blocked, Umbrella returns NOTIMP to requests for this type.
     CNAME  Canonical name record

     Alias of one name to another: the DNS lookup continues by retrying the lookup with the new name
     MX  Mail exchange record

     Maps a domain name to a list of message transfer agents for that domain
     NS  Name server record

     Delegates a DNS zone to use the specified authoritative name servers
     PTR  Pointer record

     Pointer to a canonical name that returns the name only and is used for implementing reverse DNS lookups
     SIG  Signature

     Signature record
     SOA  Start of authority  record

     Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain  administrator, the domain serial number, and several timers relating to refreshing the zone
     SRV  Service locator

     Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX
     TXT  Text record

     Carries extra data, sometimes human-readable, most of the time machine-readable such as opportunistic encryption,  DomainKeys, DNS-SD, and so on.

    Revision History

    Revision Publish Date Comments
    1.0
    26-Aug-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products