Configure Umbrella Content Filters Using IP Addresses

Available Languages

Download Options

  • PDF     (5.2 KB)
    View with Adobe Reader on a variety of devices
Updated:September 26, 2025
Document ID:225064

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure Umbrella's content filters using IP addresses instead of hostnames.

    Overview

    Most websites belong to a domain that resolves to a single IP address, but it is not easy or often possible to "bypass" Cisco Umbrella's content filters by simply entering the IP address of a website into a browser address bar. In addition, most malware uses domain names for their command and control (C&C) instead of IP addresses.

    What to do

    For security, blocking by hostname instead of IP is actually better for these reasons:

    • Better security—insecure domains hop from IP to IP in order to evade being stopped by various proxy/malware blocking solutions, or by the ISP.  It is very hard (and not the right way) to keep up with these changes at the IP level rather than the domain level
    • Reduced false positives/negatives—one IP is sometimes shared by thousands of domains, one a few of which are malicious. Blocking all of them is not a good idea nor is not blocking any of them. 
    • Better visibility—blocking IPs prevents logging and analytics of which domain the user/machine tried to access, which is the information the security/compliance teams must care about.

    For content blocking it is true that accessing a website or host by IP address does not require a DNS lookup, so technically that is not be sent to Umbrella's servers for evaluation.

    However most websites today have load balancing and high availability solutions as well as geolocation (where multiple IP's and locations are used for better performance to the end user). They have multiple subdomains for features such as authentication, the website comprises of multiple IPs from different servers and in some cases, entering the IP simply directs you to FQDN for the site.  Nearly all web servers silently instruct Web browsers to download its content from one or more different domains. After the initial connection is established, several additional DNS requests are sent via the user’s browser on the server’s behalf, which are enforced as normal.  

    As a result, in the vast majority of cases, simply typing an IP address in a browser does not work because the setup on the web server side usually ends up converting that to a domain and at that moment we receive a DNS query that can be acted upon. Alternately, you can receive a partial or broken homepage after which none of the links, including login, work without a proper DNS resolution in place.

    At that point, Umbrella is able to intercept the request for resolution and perform an evaluation for security or content.

    If you are unsure about the status of a particular site, do an nslookup on the domain, enter the IP address directly into the browser address bar and see how it behaves. We encourage you to try this for yourself and see how it behaves. 

    Revision History

    Revision Publish Date Comments
    1.0
    26-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products