Troubleshoot ASA Firewall Blocking DNScyrpt Functionality from the Umbrella Virtual Appliance

Available Languages

Download Options

  • PDF     (1.6 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.7 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.4 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 27, 2025
Document ID:224689

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This article describes how to troubleshoot the ASA Firewall blocking DNScrypt functionality.

    Overview

    The Cisco ASA Firewall can block the DNScrypt functionality offered by the Umbrella Virtual Appliance. This results in this Umbrella Dashboard warning:

    Umbrella Dashboard Warning

    These error messages can also be seen in the ASA firewall logs:

    Dropped UDP DNS request from inside:192.168.1.1/53904 to outside-fiber:208.67.220.220/53; label length 71 bytes exceeds protocol limit of 63 bytes

    DNSCrypt encryption is designed to protect the contents of your DNS queries and as such also stops firewalls from performing packet inspection.

    Cause

    These errors must not cause any user facing impact with DNS resolution. 

    The Virtual Appliance sends test queries to determine the availability of DNScrypt and it is those test queries that are blocked. However, these error messages do indicate that the Virtual Appliance is not adding additional security by encrypting your company's DNS traffic.

    Resolution

    We recommend disabling DNS packet inspection for traffic between the Virtual Appliance and Umbrella's DNS resolvers. Although this disables the logging and protocol inspection on the ASA, it enhances security by allowing DNS encryption.

    note-icon

    Note: These commands are provided for guidance only and it is recommended that a Cisco expert be consulted prior to making any changes to a production environment.
    Also be aware this defect on ASA might affect DNS over TCP, which can also cause problems with DNSCrypt: 
    CSCsm90809 DNS inspection support for DNS over TCP

    Packet Inspection Exceptions – IOS Commands

      1. Create a new ACL called 'dns_inspect' with rules to deny traffic to 208.67.222.222 and 208.67.220.220.  
        access-list dns_inspect extended deny udp host <Appliance IP> host 208.67.220.220 eq domain 
        access-list dns_inspect extended deny tcp host <Appliance IP> host 208.67.220.220 eq domain 
        access-list dns_inspect extended deny udp host <Appliance IP> host 208.67.222.222 eq domain 
        access-list dns_inspect extended deny tcp host <Appliance IP> host 208.67.222.222 eq domain
        access-list dns_inspect extended permit udp any any eq domain 
        access-list dns_inspect extended permit tcp any any eq domain


        For VA 2.2.0, please also add our 3rd and 4th resolver IPs which are also enabled for encryption. This will not be needed for 2.2.1+
        access-list dns_inspect extended deny udp host <Appliance IP> host 208.67.220.222 eq domain
        access-list dns_inspect extended deny tcp host <Appliance IP> host 208.67.220.222 eq domain
        access-list dns_inspect extended deny udp host <Appliance IP> host 208.67.222.220 eq domain
        access-list dns_inspect extended deny tcp host <Appliance IP> host 208.67.222.220 eq domain
      2. Remove the current DNS inspection policy on the ASA. For example: 
        ciscoasa(config)# policy-map global_policy
        ciscoasa(config-pmap)#  class inspection_default
        ciscoasa(config-pmap-c)# no inspect dns
      3. Create a class-map matching the ACL created in Step #1: 
        class-map dns_inspect_cmap 
         match access-list dns_inspect
      4.  Configure a policy-map under the global_policy. This must match the class-map created in Step #3. Enable DNS inspection. 
        policy-map global_policy 
         class dns_inspect_cmap 
          inspect dns
      5. Once enabled you can verify that traffic is hitting the exclusions by running: 
        sh access-list dns_inspect

    Packet Inspection Exceptions – ASDM Interface

      1. First disable any DNS packet inspection if applicable.This is done in Configuration > Firewall > Service Policy Rules.
        ASDM Interface

      2. In the example the DNS inspection is enabled under the Global Policy and 'inspection_default' class. Highlight it and click on Edit. On the new window uncheck the box for 'DNS' under the "Rule Action" tab.Edit Service Policy Rule

      3. Now you can re-configure the DNS inspection, this time with additional traffic exemptions. Click on Add > Add Service Policy Rule...
        ASDM Configuration

      4. Select "Global - Applies to all interfaces" and click on Next  (you can also apply this to a specific Interface if you wish).
        Add Service Policy Rule Wizard - Service Policy

      5. Give a name to the class-map (for example 'dns-cmap') and check the option "Source and Destination IP Address (uses ACL)"Click Next.
        Add Service Policy Rule Wizard - Traffic Classification Criteria

      6. Start by configuring the traffic that you do not want to be inspected by using the "Do not match" action.
        For Source, you can use the option 'any' to exempt all traffic destined to Umbrella's DNS servers. Alternatively, you can create a Network Object definition here to only exempt the specific Virtual Appliance IP address.
        Add Service Policy Rule Wizard - Traffic Match

      7. Click ... on the Destination field. On next window, click on Add > Network Object and create an object with the IP Address of '208.67.222.222'. Repeat this step to create an object with IP Address of '208.67.220.220'.
        Browse Destination

        Edit Network Object

      8. Add both Umbrella network objects to the Destination field and click OK.
        Add Service Policy Rule Wizard - Traffic Match


      9. On the next window check the box for 'DNS' and click on Finish.
        Add Service Policy Rule Wizard - Rule Actions

      10. The ASA now shows the new Global-Policy for 'dns-cmap'. Now you need to configure the remaining traffic that is inspected by the ASA. This is done by right clicking on 'dns-cmap' and selecting the option "Insert After..." which creates a new rule.
        Traffic Classification - Insert After

      11. On first window click on Next and on then check the "Add rule to existing traffic class:" radio button. Select 'dns-cmap' from the drop-down and then click Next.Add Service Policy Rule Wizard - Traffic Classification Criteria

      12. Leave the Action as 'Match'. Choose the Source, Destination and Service of traffic that is subject to DNS inspection. Here, for example, we are matching traffic from any client going to any TCP or UDP DNS Server. Click Next.Add Service Policy Rule Wizard - Traffic Match

      13. Leave the 'DNS' option checked and click on Finish.
      14. Click on Apply at the bottom of the window.
        Configuration - Firewall - Service Policy Rules

    Further Information

    If you would prefer to disable DNScrypt rather than configuring ASA exemptions, please contact Umbrella support.

    Revision History

    Revision Publish Date Comments
    1.0
    27-Aug-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products