Another security technique that Cisco SD-WAN leverages is the DNS Web Layer Security provided by Cisco Umbrella cloud. DNS security is an essential part of an organization's security strategy because a connection to a malicious or inappropriate website on the Internet can be prevented before it is even established. 

Once a WAN edge router is configured with a DNS security policy, it intercepts DNS queries coming from the LAN and redirects them to Cisco Umbrella DNS. Depending on the requested webpage, the following outcomes can occur, as illustrated in figure 1 below:

  • If the requested webpage is known to be good and is allowed in the Umbrella policy (configured via the Umbrella portal), the resolver returns the website's IP address.
  • If the requested URL is known to be a harmful website or isn't allowed within the configured Umbrella policy, the resolver returns the IP address of a block landing page.
  • If the requested page is unknown to Umbrella, the resolver can be configured to redirect the query to an Intelligent Proxy that interposes itself as a man-in-the-middle(MiM). This allows Umbrella to inspect the web page's content for malware, phishing attacks, and other security threats compromising the end client's security.
DNS Web Layer Security
Figure 1. DNS Web Layer Security

DNS Encryption and Authentication

DNS is an old protocol. It has been around forever. Initially, it didn’t include any embedded security mechanism. Any device along the DNS traffic path between a client and a server can interfere without being detected. Hackers abuse this lack of security by conducting trivial DNS attacks.

Because originally, DNS had no encryption and authentication mechanisms put in place, organizations and work groups have tried to secure the protocol using different approaches. As a result, multiple different DNS security implementations have emerged, such as:

  • DNSSEC
  • DNSCrypt
  • EDNS
  • DNS over TLS
  • DNS over DTLS
  • DNS over SSH
  • DNS over HTTPS (DoH) 
  • DNS over QUIC

Some did not gain traction, while others have been widely adopted. However, it is important to know that Cisco SD-WAN DNS security supports DNSCrypt, EDNS, and TLS decryption. EDNS is an official specification of the protocol that expands several parameters in order to carry metadata (such as VPN ID) which an Umbrella policy can leverage.

DNS local domain bypass

Almost every organization nowadays has internal resources relying on DNS for URL-to-IP resolution. For that reason, the Cisco SD-WAN DNS security policy allows us to specify a list of internal domains that bypass the DNS interception process.

When a WAN edge router intercepts a DNS query, it first checks the FQDN against the internal domain list. If the FQDN matches an entry in the list, the edge router allows the DNS query to pass through without being intercepted by the DNS security policy.

DNS Security Order of Operations

Figure 2 shows the order of operation of an edge router in the context of the security functionalities. Notice that the DNS interception process occurs on the service-side processing way before the other security functions. 

SD-WAN Security features Order-of-operation
Figure 2. SD-WAN Security features Order-of-operation

Limitations

The DNS security feature has some notable limitations that must be considered when an organization devices to enable the Cisco Umbrella integration.

  • Only DNS over UDP is supported for Umbrella redirection (DNS over TCP is not supported).
  • Policy enforcement can't be applied if the user accesses the IP address directly, like http://IP_address instead of FQDN.
  • If the user is connected via VPN or a Web Proxy, the edge router can't detect and intercept the DNS query.
  • Umbrella DNS redirect doesn't work with data-policy NAT. For example, suppose Internet-bound traffic is NATed by a data policy instead of a NAT static route. In that case, we must add an additional policy rule that matches DNS queries and sets action Umbrella redirect. The rule must be configured in a sequence before the NAT rule.