Cisco DNS Umbrella is blocking legitim site! how to overcome this issue ?

HaniAbuelkhair4
Getting noticed

Cisco DNS Umbrella is blocking legitim site! how to overcome this issue ?

I am using Cisco DNS Umbrella for my DHCP clients and its blocking legitim site, how can i overcome this issue ?

 

 

HaniAbuelkhair4_0-1641404006238.png

 

10 REPLIES 10
ww
Kind of a big deal
Kind of a big deal

Do you have access to umbrella portal . I asume you should whitelist there

I don't have access, as i am using it as my DNS on the DHCP 

 

Ryan_Miles
Meraki Employee
Meraki Employee

As ww mentioned this is being enforced by Umbrella, not Meraki. You'll need to access your Umbrella dashboard to remedy this.

I understand but i don't have access to the umbrella DNS

I am using the Meraki security and SD WAN>configure>DHCP>DNS nameservers : use Umbrella 

 

This is free service and no subscription 

Configuring the DNS servers for Umbrella just assign the 208.x.x.x server IPs to client IP leases. There should be no Umbrella enforcement policies in play. The Umbrella block page is being served up from Umbrella. The MX nor Meraki dashboard would/can present that page.

PhilipDAth
Kind of a big deal
Kind of a big deal

Before allowing anything and overriding a security system - you need to satisfy yourself that it has not been compromised.  You could do some Google searches on the domain, perhaps check with the site operator if they know why Umbrella would be listing it as having been used for phishing.  Ideally, have the site owners run an external security scan.

 

Umbrella does not usually get phishing warnings wrong.  You should err on the side of caution.

 

Next, if you are satisfied Umbrella really is wrong, you can't override anything with a free Umbrella account.  You need a paid account to be able to whitelist domains.

 

From reading further down, it sounds like you are using a free account.  That being the case, I only see two options:

1. Stop using Umbrella temporarily.

2. Change to a paid account.  You can get more info at https://umbrella.cisco.com/

 

 

Also, I would take extra special precautions accessing this site for the moment (assuming you override Umbrella) because you are increasing your risk posture.  Let users know there is an elevated risk accessing the site and they should be extra careful clicking on links to verify if they are real or fraudulent, and to be careful of anything asking for passwords, personal information, etc.  They should be looking for anything unusual for differences in behaviour.

I would also double-check the anti-malware on the machines accessing the site are right up to date.

Ryan_Miles
Meraki Employee
Meraki Employee

Just did some googling and testing. If I change my default Firefox settings I get the same block page from Umbrella when going to the URL you mentioned.

 

By default Firefox is set to use Cloudflare for DNS over HTTPS. When I set it to use custom https://doh.opendns.com/dns-query I get the block page when trying to access loft.hometrust.ca.

 

Screen Shot 2022-01-05 at 1.39.20 PM.png

 

Did someone perhaps change the browser settings on your machines to use some non default DNS config?

KarstenI
Kind of a big deal
Kind of a big deal

Talos, Brightcloud and Virustotal say that there is no threat known to this site. Either Umbrella has seen something very recently or it is a misclassification that should be gone anytime soon.

marrees
Comes here often

Umbrella/SecureX shows the domain as clean, and there hasn't ever been any classifications of security or malware issues.

Screen Shot 2022-01-06 at 8.27.17 pm.png

Carolinet
New here

If your recently configured domain is blocked by Cisco Umbrella, please wait 13 days for Umbrella to properly classify your domain and automatically unblock it. If you have an urgent need to add a domain to your allow list, click the Request Allow List Review button on the right to submit your request.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels