Understand the Difference of Internal and External Domain Lists

Available Languages

Download Options

  • PDF     (6.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (80.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (66.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 8, 2025
Document ID:224829

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the differences between Internal Domain lists and External Domain lists in Umbrella.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on Umbrella Roaming Client.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Overview

    After introducing the Umbrella SIG solution, Umbrella added the concept of the External Domain list. This article explains the difference between the Internal domains list and the External domains list.

    Internal Domain List

    For all the domains that are added to the Internal Domain list, the DNS queries are sent through the local network's DNS servers. These domains are bypassing the Roaming devices and the Virtual appliances to resolve using the configured DNS on the machine. This also bypass esthe Umbrella DNS layer. The Umbrella dashboard admin cannot be see the DNS record under the dashboard.

    External Domain List

    All the domains that are added to the External Domain list can bypass the SWG, and the domain cannot be proxied. The External Domain list can bypass the Umbrella proxy layer. The External Domain list can be applied only to the Hosted PAC, AnyConnect devices. The Umbrella dashboard admin cannot see the Web record under the dashboard.

    Caveats

    Domains listed in the Internal Domain list can bypass both the DNS Layer Protection and SWG Proxy.


    Domains listed in the External Domain list do not bypass the DNS Layer Protection only the SWG Proxy.

    Recommendation

    You must only add the domains that are trusted since this can bypass a layer of the Umbrella protection depending on the list to which you added the domain.

    Revision History

    Revision Publish Date Comments
    1.0
    09-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Ariz Kadi
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products