Introduction
This document describes an update to the default prerequisites for Chromebook client network for use with Umbrella.
Background Information
Cisco is releasing an emergency update to our Chromebook app. This release contains a change to the default DNS port from UDP 53 to UDP 443 due to an observed issue in ChromeOS 99 and 100 that prevents blocks from successfully applying with DNS over UDP 53. Without this update, Chromebooks could see Umbrella coverage not apply.
Update June 2022: The issue has been resolved on ChromeOS. Port 53 is once again able to be utilized normally. The Umbrella default remains port 53. See these steps on how to return to UDP 53 by configuration.
Impact Statement
With the change to 443, this can impact Chromebooks ability to resolve Umbrella DNS - causing what appears to be extreme latency on version 1.3.15. Ensure that UDP 443 is permitted to 208.67.222.222 or apply the mitigation these steps.
For users with ChromeOS 99 or higher on Umbrella 1.3.13 or lower, you can see coverage fail to apply.
This issue affects Umbrella by preventing UDP 53 DNS queries from being sent to DNS addresses that are not configured on the device or via DHCP.
Required Change
- Validate that UDP 443 to 208.67.222.222 is open on your network, or
- See these alternative steps to retain UDP 53. Until a resolution is made available in ChromeOS, DoH config can be required to work around and still use UDP 53 for DNS to Umbrella.
To restore DNS on UDP 53, add this to your Chromebook Umbrella configuration. Note that this can cause your Umbrella blocks to not apply for all Chromebooks version 98-100.
"resolverPortNumber": { "Value": 53 }As an alternative if UDP 53 is required, you can configure Chromebook DoH to dns.umbrella.com in Google Workspace. This allows the Umbrella Chromebook Client to continue to send DNS to the Umbrella resolvers for enforcement.
Feedback