Introduction
This document describes known incompatibilities for the Cisco Umbrella Roaming Client.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Umbrella Roaming Client.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Overview
The Cisco Umbrella roaming client binds to all network adapters' and changes DNS settings on the computer to 127.0.0.1 (localhost). This allows the Umbrella roaming client to forward all DNS queries directly to Umbrella while allowing resolution of local domains via the Internal Domains feature.
These software and hardware either prevent these actions from happening or have a similar logic of requiring specific DNS settings in order to work. As such, Umbrella does not recommend running the Umbrella roaming client alongside any of the products mentioned in the table.
Please contact Umbrella Support for further information or questions.
Software
| Software |
Description |
| Blue Coat K9 Web Protection |
Blue Coat K9 Web Protection does not allow DNS to be changed by a third-party application (like the Umbrella roaming client) and has no way of making exceptions in this regard. The Umbrella roaming client and K9 Web Protection cannot run on the same computer. |
| DNSMasq |
DNSMasq is software which caches DNS and runs as a system service. It binds to all network adapters on port 53 (the port DNS uses) and conflicts with the Umbrella roaming client |
| Kaspersky AV 16.0.0.614. |
The 2016 edition of Kaspersky AV is incompatible with version 16.0.0.614 on Windows 10 as it can interrupt the flow of DNS. Please update to version 16.0.1.445 or newer.
Confirmation steps: Turn off the Umbrella roaming client or uninstall, point DNS to 208.67.222.222 and confirm that the issue continues. DNS tests "nslookup -type=txt debug.opendns.com" while this is set up can time out a portion of the time while Kaspersky is turned on, resulting in slow DNS resolution.
|
VOIP Phone Software
These VOIP software reportedly do not work when the Umbrella roaming client is installed and running:
- Jive Mobility
- Counterpath X-Lite
- Megapath UC
For unknown reasons, some VOIP clients can fail to start or work properly when an application is bound to 127.0.0.1:53, which is what the Umbrella roaming client does. Although these VOIP clients do not seem to require binding to that IP:PORT, they fail to start regardless.
3G/4G HotSpots and Physical Adapters
This list of 3G/4G HotSpots and physical network adapters have unalterable behavior in regard to DNS modification.
| 3G/4G HotSpots |
Miscellaneous |
| Vodafone (Huawei) E272 |
ASIX AX88179 USB 3.0 to Gigabit Ethernet Adapter |
Some USB-based 3G/4G HotSpot devices and other miscellaneous devices use the same logic in their firmware or software as the Umbrella roaming client. The DNS server address on the client changes to something unexpected by the software or 3G/4G HotSpots, and they change the DNS setting back to the previous setting. The Umbrella roaming client then performs the same operation and changes any DNS servers back to 127.0.0.1.
The conflict can cause an endless cycle of the DNS servers for the VPN connection being reset. The result is a lack of reliable DNS resolution and incomplete protection from Umbrella security services.
At this time, Umbrella does not have any changes planned to accommodate these software programs and USB-based 3G/4G devices and adapters. In the future, Umbrella can implement compensating controls wherein the Umbrella roaming client can disable itself when it senses there is a conflicting component.
Feedback