Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Umbrella / OpenVPN servers blocked nationally in France and Portugal

Solved
EricI
Here to help
‎Jul 3 2024 2:56 AM
‎Jul 3 2024 2:56 AM

Umbrella / OpenVPN servers blocked nationally in France and Portugal

I just learned that OpenVPN / Umbrella DNS servers are blocked in France on a national level following a court order.

That creates a headache for one of our a local MXs that uses Umbrella DNS for the uplink - unfortunately the config only points to Umbrella primary and secondary servers and is effectively offline. We need manual intervention which is always fun on a remote site.

I presume MX devices depend 100% on a DNS service being available to reach management servers and have no fallback option where they are able to pull config from a pre-defined IP address.

So will Cisco launch an alternative for business customers now that Umbrella DNS is effectively dead both in France and Portugal?

OpenDNS Service Not Available To Users In France and Portugal – OpenDNS


0 Kudos
Subscribe
1 Accepted Solution
ConnorL
Meraki Employee
Meraki Employee
‎Jul 3 2024 6:46 AM
‎Jul 3 2024 6:46 AM

As of June 28, 2024, OpenDNS servers 208.67.222.222 and 208.67.220.220 are no longer available for use to users in France and Portugal, possibly resulting in configuration fetch failures and various client connectivity issues.

 

Customers utilising a paid Cisco Umbrella solution should not be impacted, as this change only impacts the free OpenDNS service.

 

If you are utilising OpenDNS in these regions, we advise migrating to an alternative DNS provider, such as your ISP's or Google DNS. For customer utilising Cisco Umbrella that are experiencing issues, please contact Meraki Support.

View solution in original post

Subscribe
9 Replies 9
Brash
Kind of a big deal
Kind of a big deal
‎Jul 3 2024 3:14 AM
‎Jul 3 2024 3:14 AM

Given there are specific IP and port requirements for MX cloud connectivity, I would expect the MX could at least connect to the cloud backend without DNS. That said, I've never tried it.

 

In regards to not being able to use Umbrella anymore, if you're a paying customer and have purchased Umbrella licenses, talk to your Meraki rep to understand what the plan is for the service in those counties.

Subscribe
In response to Brash
EricI
Here to help
‎Jul 3 2024 3:36 AM
‎Jul 3 2024 3:36 AM

Thanks - the uplink DNS config is changed in the dashboard for this site so if the MX manages to connect using a fallback IP address of some kind it should possibly pick up the change. It has not happened yet though. We will force a restart and see if that helps.

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 3 2024 3:26 AM
‎Jul 3 2024 3:26 AM

I have just been reading about this prompted by your link.  What are these countries thinking!

 

All Meraki kit can fall back to using only IP addresses for management to connect to the dashboard.  It is not ideal.  You'll get a warning in the dashboard when this mode is being used.

Subscribe
EricI
Here to help
‎Jul 3 2024 3:41 AM
‎Jul 3 2024 3:41 AM

Now I just learned that Umbrella / OpenDNS are not being blocked, but Cisco actually pulled the plug on their services in France rather than comply with the new ruling (??). While Cloudflare, Google and Quad9 (operated by IBM) comply (?) and therefore continue to operate their comparable DNS services. What a mess. 😅

0 Kudos
Subscribe
In response to EricI
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 3 2024 3:52 AM
‎Jul 3 2024 3:52 AM

Politics.  The courts should never have placed an order on DNS operators.

 

Next thing they'll be issuing orders against the root name servers.

Subscribe
In response to PhilipDAth
Brash
Kind of a big deal
Kind of a big deal
‎Jul 3 2024 4:53 AM
‎Jul 3 2024 4:53 AM

It's utterly ridiculous aye

Subscribe
ConnorL
Meraki Employee
Meraki Employee
‎Jul 3 2024 6:46 AM
‎Jul 3 2024 6:46 AM

As of June 28, 2024, OpenDNS servers 208.67.222.222 and 208.67.220.220 are no longer available for use to users in France and Portugal, possibly resulting in configuration fetch failures and various client connectivity issues.

 

Customers utilising a paid Cisco Umbrella solution should not be impacted, as this change only impacts the free OpenDNS service.

 

If you are utilising OpenDNS in these regions, we advise migrating to an alternative DNS provider, such as your ISP's or Google DNS. For customer utilising Cisco Umbrella that are experiencing issues, please contact Meraki Support.

Subscribe
In response to ConnorL
EricI
Here to help
‎Jul 3 2024 7:30 AM
‎Jul 3 2024 7:30 AM

Thanks for the insight.

Since paying customers also use 208.67.222.222 and 208.67.220.220 (for instance on an MX WAN interface), I presume those DNS requests that match an Umbrella network identity are allowed, and only those that do not match a network identity are denied/blocked?

0 Kudos
Subscribe
In response to EricI
ConnorL
Meraki Employee
Meraki Employee
‎Jul 3 2024 7:58 AM
‎Jul 3 2024 7:58 AM

Hey @EricI ,

 

That is correct yes, those with a Cisco Umbrella subscription and a correctly configured integration should not be impacted. If you are, I recommend contacting Support.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.