3.7 URL Filtering & DNS Security
| Field |
Value |
| Document ID |
SDWAN-SEC-3.7 |
| Version |
1.0 |
| Last Updated |
December 2025 |
| Author |
Network Architecture Team |
| Classification |
Internal Use |
1. Executive Summary
This section documents the URL filtering and DNS security implementation for Abhavtech's SD-WAN deployment. The solution leverages Cisco Umbrella integration for cloud-delivered DNS security and on-box URL filtering capabilities to provide comprehensive web security across all sites without backhauling traffic.
1.1 Web Security Architecture
+------------------------------------------------------------------+
| WEB SECURITY ARCHITECTURE |
+------------------------------------------------------------------+
| |
| Layer 1: DNS Security (Umbrella) |
| +----------------------------------------------------------+ |
| | - Block malicious domains at DNS resolution | |
| | - Category-based filtering | |
| | - Threat intelligence integration | |
| +----------------------------------------------------------+ |
| | |
| v |
| Layer 2: URL Filtering (On-Box) |
| +----------------------------------------------------------+ |
| | - Full URL path inspection | |
| | - Reputation-based blocking | |
| | - Custom allow/block lists | |
| +----------------------------------------------------------+ |
| | |
| v |
| Layer 3: SSL Inspection (Optional) |
| +----------------------------------------------------------+ |
| | - Decrypt HTTPS for deep inspection | |
| | - Bypass for sensitive categories | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
1.2 Deployment Summary
| Site |
DNS Security |
URL Filter |
SSL Inspect |
Method |
| Mumbai DC |
Umbrella |
Full |
Yes |
SIG Tunnel |
| Chennai DR |
Umbrella |
Full |
Yes |
SIG Tunnel |
| London |
Umbrella |
Full |
Yes |
SIG Tunnel |
| New Jersey |
Umbrella |
Full |
Yes |
SIG Tunnel |
| Bangalore |
Umbrella |
Standard |
No |
DNS Redirect |
| Delhi |
Umbrella |
Standard |
No |
DNS Redirect |
| Frankfurt |
Umbrella |
Standard |
No |
DNS Redirect |
| Dallas |
Umbrella |
Standard |
No |
DNS Redirect |
| Noida |
Umbrella |
Basic |
No |
DNS Only |
2. Cisco Umbrella Integration
2.1 Umbrella Architecture
+------------------------------------------------------------------+
| UMBRELLA INTEGRATION |
+------------------------------------------------------------------+
| |
| Branch Site Umbrella Cloud |
| +----------------+ +----------------+ |
| | WAN Edge | | Umbrella | |
| | Router | DNS/HTTPS | Resolvers | |
| | |------------->| 208.67.222.222 | |
| | DNS Redirect | | 208.67.220.220 | |
| +-------+--------+ +-------+--------+ |
| | | |
| | v |
| | +----------------+ |
| | | Threat Intel | |
| | | - Malware | |
| | | - Phishing | |
| | | - C2 | |
| | +----------------+ |
| | |
| | Hub Site (SIG Tunnel) |
| | +----------------+ +----------------+ |
| +--->| WAN Edge | IPsec | Umbrella SIG | |
| | DC/Hub |------------->| (Full Proxy) | |
| | SIG Tunnel | +----------------+ |
| +----------------+ |
| |
+------------------------------------------------------------------+
2.2 Umbrella Configuration
! Umbrella DNS Configuration (Branch Sites)
umbrella
token <UMBRELLA_REGISTRATION_TOKEN>
dnscrypt
!
resolver 208.67.222.222
resolver 208.67.220.220
!
vrf Employee
dns-resolver umbrella
!
vrf Guest
dns-resolver umbrella
!
!
! DNS Redirect to Umbrella
ip name-server 208.67.222.222
ip name-server 208.67.220.220
! Prevent DNS bypass
ip access-list extended BLOCK-EXTERNAL-DNS
permit udp any host 208.67.222.222 eq 53
permit udp any host 208.67.220.220 eq 53
deny udp any any eq 53 log
permit ip any any
interface GigabitEthernet0/0/2.10
ip access-group BLOCK-EXTERNAL-DNS in
!
2.3 Umbrella SIG Tunnel (DC/Hub Sites)
! Secure Internet Gateway (SIG) Tunnel
crypto ikev2 profile UMBRELLA-SIG
match identity remote fqdn domain cisco.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint UMBRELLA-CA
!
interface Tunnel100
description "Umbrella SIG Tunnel"
ip address negotiated
ip mtu 1400
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile UMBRELLA-IPSEC
!
! Route traffic through SIG
ip route 0.0.0.0 0.0.0.0 Tunnel100 vpn 10
ip route 0.0.0.0 0.0.0.0 Tunnel100 vpn 20
3. URL Filtering Categories
3.1 Category Definitions
+------------------------------------------------------------------+
| URL FILTERING CATEGORIES |
+------------------------------------------------------------------+
| |
| BLOCKED CATEGORIES (All Users): |
| +----------------------------------------------------------+ |
| | Category | Reason | |
| +----------------------------------------------------------+ |
| | Adult Content | Policy violation | |
| | Gambling | Policy violation | |
| | Malware | Security threat | |
| | Phishing | Security threat | |
| | Hacking | Security threat | |
| | Proxy/Anonymizer | Policy bypass attempt | |
| | Illegal Activities | Legal compliance | |
| | Weapons | Policy violation | |
| | Hate/Violence | Policy violation | |
| +----------------------------------------------------------+ |
| |
| RESTRICTED CATEGORIES (Employees - Limited): |
| +----------------------------------------------------------+ |
| | Social Networking | Limited during work hours | |
| | Streaming Media | Bandwidth limited | |
| | Personal Storage | Data loss prevention | |
| | Gaming | Limited during work hours | |
| +----------------------------------------------------------+ |
| |
| ALLOWED CATEGORIES: |
| +----------------------------------------------------------+ |
| | Business | Always permitted | |
| | Technology | Always permitted | |
| | Education | Always permitted | |
| | News | Always permitted | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
3.2 Per-VPN URL Policy
| VPN |
Block |
Restrict |
Allow |
Custom |
| 10 (Employee) |
Security, Adult, Gambling |
Social, Streaming |
Business, Tech |
whitelist.txt |
| 20 (Guest) |
Security, Adult, All Risky |
Social, Streaming |
News, Weather |
None |
| 30 (IoT) |
All except whitelisted |
N/A |
Cloud IoT platforms |
iot-whitelist.txt |
| 40 (Voice) |
All |
N/A |
Voice services only |
voice-whitelist.txt |
3.3 URL Filtering Configuration
! UTD URL Filtering Configuration
utd engine standard
web-filter
url-filtering
sourcedb external
cloud-lookup
!
block-page-interface vpn 10 FastEthernet0
block-page-interface vpn 20 FastEthernet0
! Block Categories
block-category adult-and-pornography
block-category gambling
block-category malware
block-category phishing-and-other-frauds
block-category hacking
block-category proxy-avoidance-and-anonymizers
block-category weapons
block-category hate-and-racism
! Alert Categories (monitor only)
alert-category social-networking
alert-category streaming-media
alert-category peer-to-peer
! Allow Categories
allow-category business-and-economy
allow-category computer-and-internet-info
allow-category educational-institutions
!
!
4. Custom Allow/Block Lists
4.1 Whitelist Configuration
! Custom Whitelist for Business Applications
url-whitelist ABHAVTECH-WHITELIST
url *.abhavtech.com
url *.microsoft.com
url *.office365.com
url *.salesforce.com
url *.sap.com
url *.servicenow.com
url *.workday.com
url *.okta.com
url *.zoom.us
url *.webex.com
url *.cisco.com
url *.aws.amazon.com
url *.azure.com
!
! IoT Whitelist
url-whitelist IOT-WHITELIST
url *.amazonaws.com
url *.azure-devices.net
url *.iot.us-east-1.amazonaws.com
url *.honeywell.com
url *.schneider-electric.com
!
4.2 Blacklist Configuration
! Custom Blacklist for Blocked Domains
url-blacklist ABHAVTECH-BLACKLIST
url *.torproject.org
url *.1337x.to
url *.thepiratebay.org
url *.mega.nz
url *.dropbox.com ! Personal cloud storage
url *.wetransfer.com ! File sharing
url *.sendspace.com ! File sharing
!
! Competitor Blacklist (Prevent data leakage)
url-blacklist COMPETITOR-BLACKLIST
url *.competitor1.com
url *.competitor2.com
!
5. DNS Security Features
5.1 DNS-Layer Protection
+------------------------------------------------------------------+
| DNS-LAYER PROTECTION |
+------------------------------------------------------------------+
| |
| DNS Query Process with Umbrella: |
| |
| 1. User requests: www.malicious-site.com |
| +-------+ DNS Query +-----------+ |
| | User |------------------>| WAN Edge | |
| +-------+ +-----+-----+ |
| | |
| 2. WAN Edge forwards to Umbrella | |
| +-----+-----+ DNS Query +-----------+ |
| | WAN Edge |------------------>| Umbrella | |
| +-----+-----+ +-----+-----+ |
| | |
| 3. Umbrella checks threat intelligence | |
| +-----------+ BLOCKED +-------+-------+ |
| | Umbrella |---------------->| Threat Intel | |
| +-----------+ | - Known malware| |
| | - Phishing DB | |
| | - C2 servers | |
| +---------------+ |
| |
| 4. Block page returned instead of malicious IP |
| +-------+ Block Page +-----------+ |
| | User |<-------------------| WAN Edge | |
| +-------+ +-----------+ |
| |
+------------------------------------------------------------------+
5.2 DNSCrypt Configuration
! Enable DNSCrypt for encrypted DNS
umbrella
dnscrypt
!
local-domain abhavtech.com
local-domain internal.abhavtech.com
!
resolver 208.67.222.222
resolver 208.67.220.220
!
! DNSCrypt ensures:
! - DNS queries encrypted in transit
! - Prevents DNS spoofing
! - Protects against MITM attacks
5.3 DNS Sinkhole for Malware
! DNS Sinkhole Configuration
ip host sinkhole.abhavtech.com 10.254.99.99
! Redirect known bad domains to sinkhole
ip dns spoofing
ip host malware-domain1.com 10.254.99.99
ip host malware-domain2.com 10.254.99.99
!
! Sinkhole server configuration
! Captures connection attempts for forensics
! Returns HTTP 403 with warning page
6. Time-Based Policies
6.1 Work Hours Restrictions
+------------------------------------------------------------------+
| TIME-BASED URL POLICIES |
+------------------------------------------------------------------+
| |
| Policy Schedule: |
| +----------------------------------------------------------+ |
| | Time Period | Social Media | Streaming | Gaming | |
| +----------------------------------------------------------+ |
| | Work Hours | Rate Limited | Blocked | Blocked | |
| | (9 AM - 6 PM) | 5 Mbps | | | |
| +----------------------------------------------------------+ |
| | Lunch Break | Allowed | Limited | Limited | |
| | (12 PM - 1 PM) | | 10 Mbps | 10 Mbps | |
| +----------------------------------------------------------+ |
| | After Hours | Allowed | Allowed | Allowed | |
| | (6 PM - 9 AM) | | | | |
| +----------------------------------------------------------+ |
| | Weekends | Allowed | Allowed | Allowed | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
6.2 Time-Based Configuration
! Time Range Definitions
time-range WORK-HOURS
periodic weekdays 9:00 to 18:00
time-range LUNCH-BREAK
periodic weekdays 12:00 to 13:00
time-range AFTER-HOURS
periodic weekdays 18:00 to 23:59
periodic weekdays 0:00 to 9:00
time-range WEEKENDS
periodic weekend 0:00 to 23:59
! URL Policy with Time Ranges
policy
data-policy URL-TIME-POLICY
vpn-list VPN-10-EMPLOYEE
! Block streaming during work hours
sequence 10
match
app-list STREAMING
time-range WORK-HOURS
action drop
count STREAMING-BLOCKED-WORK
!
!
! Allow streaming during lunch
sequence 20
match
app-list STREAMING
time-range LUNCH-BREAK
action accept
policer rate 10000000
count STREAMING-LUNCH
!
!
! Rate limit social media during work
sequence 30
match
app-list SOCIAL-MEDIA
time-range WORK-HOURS
action accept
policer rate 5000000
count SOCIAL-RATE-LIMITED
!
!
!
!
!
7. Reporting and Analytics
7.1 Umbrella Dashboard Integration
+------------------------------------------------------------------+
| UMBRELLA REPORTING |
+------------------------------------------------------------------+
| |
| Dashboard Widgets: |
| +----------------------------------------------------------+ |
| | Top Blocked Categories (Last 24 Hours) | |
| | 1. Malware | 1,234 blocks | |
| | 2. Adult Content | 567 blocks | |
| | 3. Gambling | 234 blocks | |
| | 4. Phishing | 189 blocks | |
| +----------------------------------------------------------+ |
| |
| Security Events: |
| +----------------------------------------------------------+ |
| | - Malware callbacks blocked: 45 | |
| | - Phishing attempts blocked: 23 | |
| | - C2 connections prevented: 12 | |
| | - Cryptomining blocked: 8 | |
| +----------------------------------------------------------+ |
| |
| Top Users (Blocked Requests): |
| +----------------------------------------------------------+ |
| | 1. user1@abhavtech.com | 234 blocks | |
| | 2. user2@abhavtech.com | 156 blocks | |
| | 3. user3@abhavtech.com | 98 blocks | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
7.2 Local Logging Configuration
! URL Filter Logging
logging host 10.254.1.50 transport udp port 514
logging trap informational
! Log URL filter events
utd engine standard
logging
level informational
syslog host 10.254.1.50
!
!
! Log Format
! <timestamp> <device> UTD: URL blocked category=<cat> url=<url> user=<ip>
8. Best Practices Summary
8.1 DNS Security Best Practices
- Use Umbrella or equivalent cloud DNS security for all sites
- Enable DNSCrypt to protect DNS queries in transit
- Block direct DNS to external servers (prevent bypass)
- Configure local domain exceptions for internal resolution
8.2 URL Filtering Best Practices
- Implement defense in depth (DNS + URL + content)
- Use cloud-based reputation for real-time updates
- Create organization-specific whitelist for business apps
- Monitor and tune policies based on user feedback
8.3 Policy Management Best Practices
- Document all URL policy decisions with business justification
- Review and update policies quarterly
- Communicate acceptable use policy to users
- Provide feedback mechanism for false positives
8.4 Operational Best Practices
- Monitor block page hits for policy effectiveness
- Alert on sudden spikes in security blocks (potential incident)
- Regular review of top blocked categories and users
- Integration with SIEM for correlation
References
| Document |
Description |
Location |
| Cisco Umbrella Admin Guide |
Official Umbrella documentation |
docs.umbrella.com |
| SD-WAN URL Filtering Guide |
On-box URL filtering |
cisco.com |
| Abhavtech Acceptable Use Policy |
Corporate web usage policy |
SharePoint |
| CIPA Compliance Guide |
Content filtering requirements |
Internal |
Document Version: 1.0
Last Updated: December 2025
Classification: Internal Use
Document ID: SDWAN-SEC-3.7