Meraki

Phillip9ja

We got an alert from our Cloud provider around a DNS over HTTPS information from one of our VMX-L

You have a GuardDuty Finding Type: DefenseEvasion:EC2/UnusualDoHActivity in the Region: *********

"Description: The EC2 instance ************* is performing an unusual DNS Over HTTPS (DoH) communication with server 208.67.220.220.."

208.67.220.220 - Cisco Open DNS

Kindly Advise any information related to this info.

Brash

That is the IP address of the OpenDNS/Cisco Umbrella security solution.

It's likely that either a client on your network has the Cisco Secure Connect client with Umbrella module installed, you have an integration with Cisco Umbrella on the MX or you've configured "Use Umbrella" for DNS in one of your DHCP scopes.

RaphaelL

I would be curious to know if you are using Umbrella.

I have an open case ( from 2022... ) that all my MX450s in Concentrator mode are sourcing that type of trafic and we are not using umbrella. I wasn't able to get an answer from Meraki since then.

rhbirkelund

A case open since 2022, and support still won't answer? Tried getting an SE to push for an answer?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

RaphaelL

This is one of the lowest priority case between all our active cases (20-30). They will get there , but geting concrete answers has been a hard task lately.

Phillip9ja

@RaphaelL You are probably right.

We are yet to see any evidence of Umbrella Security Solution used in our environment.