Cisco Catalyst SD-WAN Policy Groups Configuration Guide, Releases 26.x and Later

PDF

Configure DNS security

Updated: March 10, 2026

Want to summarize with AI?

Log in

Configure DNS security policy to enable cloud-based security service that inspects DNS queries sent to DNS servers through devices.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policy Groups > DNS Security.
2.

Click Add DNS Security Policy.

Field

Description

Add DNS Security Policy

From the Add DNS Security Policy drop-down list, select Create New to create a new DNS Security Policy policy.

Create New

Displays the DNS Security Policy wizard.

Policy Name

Enter a name for the policy.

Select Provider

Minimum supported release: Cisco Catalyst SD-WAN Manager Release 26.1.1.1

Choose from:

  • Cisco Secure Access

  • Umbrella

Registration Status

 Displays the status of the API Token configuration.

Manage Cisco Secure Access Registration

Enter the following details:

  • Organization ID:

    Cisco Secure Access organization ID for your organization.

    For more information, see Find Your Organization ID in the Cisco Secure Access User Guide.

  • API Key: Cisco Secure Access API Key.

  • Secret: Cisco Secure Access API Secret.

Manage Umbrella Registration

  • Enter the Cisco Umbrella organization ID (Organization ID) for your organization. For more information, see Find Your Organization ID in the Cisco Umbrella SIG User Guide.

Do one of the following:

  • In the Legacy Credentials pane, enter the Registration Key. It is the Umbrella Management API Key, which is part of DNS security policy under unified security policy. Then, enter the Umbrella Management API Secret.

  • For Legacy Credentials, navigate to Legacy Keys and select Umbrella Network Devices to obtain the key and secret

Or

  • From Cisco Catalyst SD-WAN Manager Release 20.15.1, in the Scope Credentials pane, enter the Registration Key. It is the Umbrella Management API Key, which is part of DNS security policy under unified security policy. Then, enter the Umbrella Management API Secret.

    For Scope Credentials, go to API Keys and choose the appropriate key scope based on your requirements. Ensure that Tunnels and Network Devices are selected in the deployments tab (these API Keys are read/write keys).

to add Cisco Umbrella Registration Key and Secret. Specific network-devices keys are used in DNS.

Also see Information About Cisco Umbrella Scope Credentials.

You can edit the umbrella credentials from Administration > Settings > Cloud Provider > Cloud Credentials.

Match All VPN

 Click Match All VPN to keep the same configuration for all the available VPNs.

Custom VPN Configuration

choose Custom VPN Configuration to input the specific VPNs.

Local Domain Bypass List

Perform one of these actions:

  • Choose a local domain from the drop-down list

  • Choose Create New.

If you click Create New, configure these options:

  • Name

  • Description (optional)

  • Local domain

    From Cisco Catalyst SD-WAN Manager Release 26.1.1.1, 256 local domain bypass entries are supported.

DNS Server IP

Configure DNS Server IP from these options:

  • Umbrella Default

  • Custom DNS

    The DNS security fallback feature is not supported for custom DNS. You must configure an explicit NAT route to the DNS server for the custom DNS redirect to work.

DNSCrypt

Enable or disable the encryption of DNS packets.

The DNS security fallback feature is not supported for DNSCrypt.
3.

Click Save.