Redirecting DNS Requests to Umbrella with FTD

A few days ago I shared an article that described redirecting DNS requests with ASA. A good use case for this might be if an organization is using Cisco Umbrella but there is no way to get every host is pointed toward the correct DNS server(s) in a timely manner. In that case, a configuration of destination NAT in the ASA can force those misconfigured clients to use one of the OpenDNS addresses.

This article is very similar, but we will share a method for doing this with Firepower Threat Defence. The concept is the same but all configuration is done in Firepower Management Console. Before starting on the NAT configuration, it is important to configure the following network objects (Objects, Object Management, Network).

  • obj_any – 0.0.0.0/0
  • Umbrella1 – 208.67.220.220
  • Umbrella2 – 208.67.222.222

It is also important to confirm the existence of two port objects (Objects, Object Management, Network).

  • DNS_over_TCP  –  TCP Port 53
  • DNS_over_UDP –  UDP Port 53

Most of the configuration will be done on the NAT policy for the device we are managing (Device, NAT, select edit for the appropriate NAT policy).

We will need four rules that should exist before any DNS packet could match another rule (order is important).

Rule 1–

Type: Dynamic

Interface Object-
Source Interface Object: any
Destination Interface Object: outside

Translation-
Original Source: any
Original Destination: Address-Umbrella2
Original Source Port: <blank>
Original Destination Port: DNS_over_UDP

Translated Source: Destination Interface IP (your source may be different)
Translated Destination: Umbrella2
Translated Source Port: <blank>
Translated Destination Port: DNS_over_UDP

Rule 2–

Type: Dynamic

Interface Object-
Source Interface Object: any
Destination Interface Object: outside

Translation-
Original Source: any
Original Destination: Address-any_obj
Original Source Port: <blank>
Original Destination Port: DNS_over_UDP

Translated Source: Destination Interface IP (your source may be different)
Translated Destination: Umbrella1
Translated Source Port: <blank>
Translated Destination Port: DNS_over_UDP

Rule 3–

Type: Dynamic

Interface Object-
Source Interface Object: any
Destination Interface Object: outside

Translation-
Original Source: any
Original Destination: Address-Umbrella2
Original Source Port: <blank>
Original Destination Port: DNS_over_TCP

Translated Source: Destination Interface IP (your source may be different)
Translated Destination: Umbrella2
Translated Source Port: <blank>
Translated Destination Port: DNS_over_TCP

Rule 4–

Type: Dynamic

Interface Object-
Source Interface Object: any
Destination Interface Object: outside

Translation-
Original Source: any
Original Destination: Address-any_obj
Original Source Port: <blank>
Original Destination Port: DNS_over_TCP

Translated Source: Destination Interface IP (your source may be different)
Translated Destination: Umbrella1
Translated Source Port: <blank>
Translated Destination Port: DNS_over_TCP

My NAT Configuration Looks as follows

Firepower Umbrella

This configuration has the following effect.

  • DNS request destined for Umbrella2 (208.67.222.222) will go to that destination unchanged
  • DNS request destined for other destinations, including Umbrella1 (208.67.220.220) will be forwarded to 208.67.220.220

The only drawback to this approach is that DNS requests sent to non-Umbrella addresses will always be sent exclusively to 208.67.220.220. There is no way to achieve any type of load balancing across both addresses and address this issue.

This configuration was tested and validated on FTD version 6.2.3.2 (build 46).

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.