Cisco Umbrella DNS queries

Just browsing

Cisco Umbrella DNS queries

Hey all, during the last couple weeks our security center on the Meraki Dashboard has been blowing up with suspicious .null DNS queries, all going to our Polycom phones. I'm talking upwards of 14,000 hits a day. Upon further research, all the traffic seems to be coming from San Francisco, home of the Cisco Umbrella DNS that Meraki recently integrated with their systems. There doesn't seem to be any noticeable drop in QoS, but does anybody know the solution for stopping all the .null queries if we don't plan on incorporating Umbrella?

Kind of a big deal

So you're receiving these queries from the outside? Sorry, I'm not fully getting your point here. What are you trying to block here? Are you using Umbrella?

Kind of a big deal

The Umbrella integration is not recent.


It sounds like you have had a recent and sudden change in your environment that has been detected with no known changes having been done.


I think you need to do some further packet captures and investigate internally further.  This could be an indicator that your internal systems have been compromised.  Make sure your backups are working.


When did you last upgrade the firmware on the Polycom phones - I think I would do that ASAP.

I did a round of packet captures and the security threats are originating from the Polycom phones reaching out to their primary and secondary DNS servers. I spoke with Vonage tech support and it seems that our MX devices typically don't support Polycom. We had a firmware update on all our MX devices a month and a half ago, but our phones are currently up to date.I've created a firewall rule to allow the outbound communication but I'm still receiving the same number of security threats per day.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.