As organizations increasingly adopt cloud-based security models, DNS-layer filtering has become a critical control for threat prevention and policy enforcement. This paper examines Cisco Umbrella’s content filtering capabilities, focusing on its recursive DNS architecture, categorization engine, and integration with secure web gateways (SWG). We analyze how Cisco Umbrella mitigates risks such as phishing, malicious domains, and inappropriate content before an HTTPS connection is established. Furthermore, we compare its performance against traditional on-premises proxy-based filters, highlighting advantages in latency, scalability, and roaming user protection. The paper concludes with best practices for policy configuration and discusses limitations related to encrypted traffic and custom category management.
| Solution | Filtering Layer | Decryption | On-prem option | Price (approx) | | :--- | :--- | :--- | :--- | :--- | | Cisco Umbrella | DNS + SWG | Optional | No (cloud-only) | $$ | | Zscaler Internet Access | Proxy + SSL | Required | No | $$$ | | FortiGate (UTM) | Proxy + DNS | Optional | Yes | $$ | | Cloudflare Gateway | DNS + HTTP | Optional | No | $ | cisco umbrella content filtering
With Encrypted Client Hello (ECH) in TLS 1.3, the domain name can be hidden from passive DNS observers. However, Umbrella operates as the DNS resolver, so it still sees the plaintext domain request. This remains effective. However, Umbrella operates as the DNS resolver, so
Cisco Umbrella supports custom destination lists (up to 1000 entries). However, regex or wildcard domains are limited (only prefix/suffix wildcards). For granular filtering, external threat intelligence feeds via API are recommended. Umbrella operates as the DNS resolver