Thanks for the comment my understanding is from the endpoint to the Umbrella virtual appliances are not encrypted but from the virtual appliance they might be. But how would local DNS caching work as the MX wont see these DNS requests.

The clients will send unencrypted DNS requests to the Umbrella Virtual Appliance.

The Umbrella Virtual Appliance will then proxy requests for public domains upstream to the Umbrella cloud via an encrypted tunnel.

If the MX does not reside between the clients and the virtual appliance (where it can intercept the unencrypted lookups), it will not be able to intercept these DNS requests and therefore, you the FQDN based rules will fail.

This makes sense on paper, but I am not sure how to implement it, as it would mean moving the appliance to a DMZ in front of the firewall. The appliance would then also need a route back into the network for the AD connector.

Can umbrella be set to unencrypted DNS block or block 443 so that DNS requests are sent unencrypted

both solutions are not perfect.

There's a few ways I can think of (potentially license dependent).

1. You can configure the clients to point to the MX for DNS resolution. You can then point your MX to the Umbrella Virtual Appliance as its resolver. The downside of this is the VA will log that all requests come from your MX rather than individual clients

2. You can integrate the Meraki MX directly with Umbrella. This allows the MX to send internal domain lookups to your internal resolver, and public domain lookups to Umbrella.

Manually Integrating Cisco Umbrella with Meraki Networks - Cisco Meraki Documentation

3. More of a hack job method, but if there's specific domains you want the MX to have resolution for to allow your rules to work, you can setup one computer to periodically send DNS requests for those domains out to an Internet based resolver so the MX can observe those lookups.