Describes DNS security routing and fallback strategies, including fallback mechanisms that maintain name resolution continuity and enhance security in the event of DNS failures or disruptions.
A DNS security routing fallback mechanism is an implementation that
-
ensures device configurations dictate the egress path of packets,
-
maintains symmetric routing based on the device's routing table, and
-
data policy configurations takes precedence over the local DNS security policy.
DNS security uses the service VPN route configuration to establish connectivity to DNS servers, ensuring that device routing tables determine the egress path.
If you want to continue with the DNS security where traffic egresses via the global VRF, then configure a NAT DIA route for the Umbrella IP addresses 208.67.222.222 and 208.67.220.220.
Integration with NAT trackers
You can configure a NAT tracker and monitor the availability of the path.
-
If the path is healthy: The DNS traffic uses the NAT route.
-
If the path fails: The NAT tracker detects the failure, withdraws the route, and the device automatically performs a new route lookup to find an alternative path (like the overlay).