Today, we’re excited to announce the availability of two new security categories for Umbrella: DNS tunneling VPN and Potentially harmful.

DNS tunneling VPN

DNS tunneling is the ability to encode the data of other programs or protocols in DNS queries and responses.1 Anti-virus programs and security services use DNS tunneling to fetch signatures. But, not everyone uses DNS tunneling for legitimate reasons. It can be used to hide outbound traffic, concealing data that is typically shared through an internet connection. For example, a DNS tunneling VPN service could be used to exfiltrate data — and since the traffic isn’t normally monitored, such an attack would be difficult to catch.

To help with this, we are announcing DNS tunneling VPN as a new security category within Cisco Umbrella. This category classifies servers associated with commercial DNS tunneling VPN services. These services allow users to disguise outgoing traffic as DNS queries, potentially violating acceptable use, data loss prevention, or security policies. These services present a potential security threat and reduce overall visibility. By enabling this new security category, Umbrella customers will be able to reduce the risk of DNS tunneling and potential data loss.

Potentially harmful

Beyond DNS tunneling VPNs, other types of DNS tunneling have use cases that can be uncertain and risky. It can be beneficial to monitor and possibly block these uses and other suspicious domains.

Our researchers have developed the Potentially harmful category to give customers insight and visibility into these domains. You can think of it as the “I have a bad feeling about this” category. It contains domains that are likely to be malicious, but with a lower level of confidence than those that are classified in our normal block lists. For example, DNS tunneling services that cannot be tied to a specific type of service will fall into this security category. Another example comes from our Spike rank model. The traffic that hits high on the Spike rank domain will automatically be classified as malicious, and traffic that is lower on the threshold will fall into the potentially harmful category.


For both categories, customers can block or monitor the results in reports, providing flexibility to determine what is right given their specific risk tolerance.

These categories will be available to customers of all Umbrella packages and Umbrella for MSPs starting January 18th.


This post is categorized in: