I have the same problem. I have a case open with Meraki support who are attempting to reproduce in lab. Here is what I have learned so far.. When Umbrella DNS protection applied through API (e.g. Appliance, SSID or Group Policy) DNS should be intercepted and redirected to Umbrella. This had been working until I implemented Umbrella AutoVPN integration. DNS is still intercepted but packet capture shows it is egressing the VPN interface, not the Internet interface even though the VPN to which policy is applied is not participating in AutoVPN. According to https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Manually_Integrating_Cisco_Umbrella_with_Meraki_Networks this is expected (near the bottom "expected routing behavior") however the doco for Umbrella AutoVPN integration says to manually exclude DNS from the tunnel https://documentation.meraki.com/MX/Site-to-site_VPN/MX_and_Umbrella_SIG_(UMB-SIG)_SD-WAN_Deployment_Guide (at the bottom :DNS Policy Consideration"). THat should fix it but these measures have no effect. My only workaround until this is resolved is to revert to Network based policy. AS soon As i remove the Umbrella policy from the Meraki GP, the issue goes away.
... View more
