Meraki

Community

Cisco DNS Umbrella is blocking legitim site! how to overcome this issue ?

HaniAbuelkhair4
Getting noticed
‎Jan 5 2022 9:35 AM
‎Jan 5 2022 9:35 AM

Cisco DNS Umbrella is blocking legitim site! how to overcome this issue ?

I am using Cisco DNS Umbrella for my DHCP clients and its blocking legitim site, how can i overcome this issue ?

 

 

HaniAbuelkhair4_0-1641404006238.png

 

0 Kudos
10 Replies 10
ww
Kind of a big deal
Kind of a big deal
‎Jan 5 2022 10:09 AM
‎Jan 5 2022 10:09 AM

Do you have access to umbrella portal . I asume you should whitelist there

0 Kudos
In response to ww
HaniAbuelkhair4
Getting noticed
‎Jan 5 2022 11:08 AM
‎Jan 5 2022 11:08 AM

I don't have access, as i am using it as my DNS on the DHCP 

 

0 Kudos
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 5 2022 12:14 PM
‎Jan 5 2022 12:14 PM

As ww mentioned this is being enforced by Umbrella, not Meraki. You'll need to access your Umbrella dashboard to remedy this.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
HaniAbuelkhair4
Getting noticed
‎Jan 5 2022 1:00 PM
‎Jan 5 2022 1:00 PM

I understand but i don't have access to the umbrella DNS

I am using the Meraki security and SD WAN>configure>DHCP>DNS nameservers : use Umbrella 

 

This is free service and no subscription 

0 Kudos
In response to HaniAbuelkhair4
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 5 2022 1:34 PM
‎Jan 5 2022 1:34 PM

Configuring the DNS servers for Umbrella just assign the 208.x.x.x server IPs to client IP leases. There should be no Umbrella enforcement policies in play. The Umbrella block page is being served up from Umbrella. The MX nor Meraki dashboard would/can present that page.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 5 2022 1:40 PM
‎Jan 5 2022 1:40 PM

Before allowing anything and overriding a security system - you need to satisfy yourself that it has not been compromised.  You could do some Google searches on the domain, perhaps check with the site operator if they know why Umbrella would be listing it as having been used for phishing.  Ideally, have the site owners run an external security scan.

 

Umbrella does not usually get phishing warnings wrong.  You should err on the side of caution.

 

Next, if you are satisfied Umbrella really is wrong, you can't override anything with a free Umbrella account.  You need a paid account to be able to whitelist domains.

 

From reading further down, it sounds like you are using a free account.  That being the case, I only see two options:

1. Stop using Umbrella temporarily.

2. Change to a paid account.  You can get more info at https://umbrella.cisco.com/

 

 

Also, I would take extra special precautions accessing this site for the moment (assuming you override Umbrella) because you are increasing your risk posture.  Let users know there is an elevated risk accessing the site and they should be extra careful clicking on links to verify if they are real or fraudulent, and to be careful of anything asking for passwords, personal information, etc.  They should be looking for anything unusual for differences in behaviour.

I would also double-check the anti-malware on the machines accessing the site are right up to date.

Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 5 2022 1:42 PM
‎Jan 5 2022 1:42 PM

Just did some googling and testing. If I change my default Firefox settings I get the same block page from Umbrella when going to the URL you mentioned.

 

By default Firefox is set to use Cloudflare for DNS over HTTPS. When I set it to use custom https://doh.opendns.com/dns-query I get the block page when trying to access loft.hometrust.ca.

 

Screen Shot 2022-01-05 at 1.39.20 PM.png

 

Did someone perhaps change the browser settings on your machines to use some non default DNS config?

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Jan 5 2022 2:09 PM
‎Jan 5 2022 2:09 PM

Talos, Brightcloud and Virustotal say that there is no threat known to this site. Either Umbrella has seen something very recently or it is a misclassification that should be gone anytime soon.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
marrees
Comes here often
‎Jan 6 2022 2:03 AM
‎Jan 6 2022 2:03 AM

Umbrella/SecureX shows the domain as clean, and there hasn't ever been any classifications of security or malware issues.

Screen Shot 2022-01-06 at 8.27.17 pm.png

0 Kudos
Carolinet
New here
‎Jan 7 2022 2:06 AM
‎Jan 7 2022 2:06 AM

If your recently configured domain is blocked by Cisco Umbrella, please wait 13 days for Umbrella to properly classify your domain and automatically unblock it. If you have an urgent need to add a domain to your allow list, click the Request Allow List Review button on the right to submit your request.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.