During one of my Cisco Live conferences I was talking to OpenDNS about their security features protecting networks and endpoints by filtering DNS requests and blocking malicious requests. I always thought it was a neat idea to add another layer of security. Cisco acquired OpenDNS and created a product called Cisco Umbrella, bundling OpenDNS features and adding feedback from thousands of ASA firewalls installed worldwide plus the magic sauce of Talos. For a smaller shop like we run, getting all this information helps benefiting from much bigger installations, plus the pricing was actually no too bad, so we purchased licenses and rolled it out. It has been running for about 3 months, the implementation is not overly complicated and does not require many changes to existing infrastructure. We did hit a nasty bug though, more later.
Umbrella in its simplest from can just be deployed by setting up internal networks, telling it from where you are coming from (your nat’d public ips) and creating policies what you want to allow.
One cool feature is, if you decided to deploy virtual appliances and tie them into your domain controllers, you have full visibility; meaning I can see user xyz did a dns query from machine abc to go to site 123. Very cool! Just point your endpoint’s dns to your appliances and it’s done.
One observation I’d like to point out and to maybe save someone some hours of troubleshooting; When you run the script on your servers, it does not set the dcom privileges for OpenDNS_Connector user correctly.
Follow these steps from Umbrella’s KB and reboot. The machine should register correctly in the dashboard after a while.
To verify DCOM Permissions:
1. From a command line run dcomcnfg
2. Console Root > Component Services > Computers
3. Right-click on My Computer and select Properties.
4. From My Computer Properties select COM Security tab.
5. In “Launch and Activation Permissions” area click “Edit Limits”.
6. Add the OpenDNS_Connector user and allow Remote Launch and Remote Activation permissions.
7. Click OK to confirm and close My Computer Properties.
I can furthermore assign policies to ad groups or computers. We also rolled out the stand alone client installed on our non domain laptops. These machines get the added protection from our Umbrella installation without being on our network.
Now, of course being in IT and all that, not everything went without a problem. We hit a nasty bug affecting older systems, mainly Windows 7 and Server 2008R2. In short, when you change the DNS server settings on those systems it tells the MS DNS server to delete its A record. The logic being, since it is using the new server it will register there. Which would work, except the Umbrella appliance will forward queries to your local DNS for systems that reside on your local network. The result is the A record is gone! Fun times!
Luckily there is a fix for this. It’s all documented here as well:
The hotfix does require a reboot. To keep an eye on which records are being deleted, so we could quickly re-register the system via ipconfig /registerdns (until the hotfix was implemented) a ps-script was created to send a tombstone report. (Kudos to my team!)
Get-ADObject -filter ‘dnsTombstoned -eq $true’ -Properties dNSTombstoned,name,distinguishedName,whenchanged -outvariable body# Convert the array into a string (needed for emailing)
$body = $body | Out-String -width 4096
$email = @{
From = “”
To = “”
Subject = “Tombstone DNS Report”
SMTPServer = “”
Body = $body
}
send-mailmessage @email
We had this scheduled via TaskScheduler to run every 4 hours.
After applying the hotfix the system has been very stable. I also want to point out that under OpenDNS there is a free version for home use. Definitely worth checking it out!
Finally a small activity graph on how many dns queries our 4 appliances (2x in HQ and 2x in DR) process per 24h. Not bad for a shop with less than 150 employers and about 200 endpoints.