Configure Internal DNS Servers for Umbrella Deployment

Available Languages

Download Options

  • PDF     (196.1 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (285.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (348.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 12, 2025
Document ID:224910

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure the internal DNS servers to deploy the VA component of Cisco Umbrella.

    Configure the Internal DNS Servers

    To deploy the virtual appliance (VA) component of Cisco Umbrella, we recommend this DNS configuration on any internal DNS server.

    1. In DNS server's network adapter settings, use the loopback address (127.0.0.1) so that the server uses itself for DNS resolution. The second entry must be another internal DNS server.

      Internet Protocol Version 4 Properties dialog26492560404372

    2. In DNS server's forwarder settings, use the Umbrella anycast addresses (208.67.220.220 and 208.67.222.222), and not the virtual appliance IP addresses.  Forwarding DNS queries from DNS server to virtual appliances can cause DNS loops, and is not recommended nor supported per https://docs.umbrella.com/deployment-umbrella/docs/6-local-dns-forwarding.

      Internet Protocol Version 4 Properties dialog - Fowarders tab26492637809300

    3. If you use a Windows DNS server, consider to uncheck the "Use root hints" option as it can cause DNS traffic to be bypassed in some instances.  For more information on this best practice, please reference our article that discusses root hints further.

      Internet Protocol Version 4 Properties dialog - Fowarders tab 226492657078036

      note-icon

      Note: Whether to use root hints as the last resort in forwarder configuration is up to your discretion. If you uncheck the "Use root hints" option, it is possible that there can be some situations where your DNS server is not able to resolve external domains. You do not have to uncheck the option if you do not feel comfortable doing so.

    4. If the server also acts as a mail server, the best option is to point forwarder to your ISP's DNS servers or other recursive resolvers such as those provided by your ISP. We outline potential problems with using Umbrella on mail servers in these articles:
      • Umbrella and Your Email Server
      • Does Umbrella Work with DNSBLS and URIBLS?

    Revision History

    Revision Publish Date Comments
    1.0
    17-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products