Point Your DNS to Cisco Secure Access

Configure your DNS to direct traffic from your network to the Cisco Secure Access global network. When a request to resolve a hostname on the internet is made from a network pointed at our DNS addresses, Secure Access applies the security settings configured in your policy rules.

To have Secure Access protect your networks, you need to explicitly change the DNS settings in your operating system or hardware firewall or router to Secure Access's name server IP addresses and turn off the automatic DNS servers provided by your ISP. Secure Access supports both IPv4 and IPv6 addresses.

Note: Several systems allow you to specify multiple DNS servers. We recommend that you only use the Cisco Secure Access DNS servers and do not include any other DNS servers.

Cisco Secure Access DNS Resolvers – IP addresses

IPv4IPv6
208.67.222.2222620:119:35::35
208.67.220.2202620:119:53::53

Cisco Secure Access DNS Resolvers – Anycast IP Addresses

North America (USA-only) DNS resolvers guarantee only that DNS queries are resolved by a USA-based Secure Access data center. Block pages use global Anycast and may go to any data center, including one located outside of the USA.

IPv4IPv6Port/ProtocolDescription
208.67.222.2222620:119:35::3553 TCP/UDPPrimary
208.67.220.2202620:119:53::5353 TCP/UDPSecondary
208.67.220.222n/a53 TCP/UDPTertiary
208.67.222.220n/a53 TCP/UDPQuaternary
208.67.221.762620:119:17::7653 TCP/UDPUSA only Primary
208.67.223.762620:119:76::7653 TCP/UDPUSA only Secondary

Table of Contents

Prerequisites

  • Administrative privileges on the device or server where the DNS is configured.

Note: We recommend that only users who have administrative access to the router, DNS server, or their own computer attempt to use these instructions as you need this level of access to complete these steps.

Procedure

Change the DNS server addresses to Cisco Secure Access DNS server addresses.

Step 1 – Identify Where Your Public DNS Server Addresses are Configured

Determine which device or server on your network maintains the addresses of your public DNS servers—most often a router or DNS server. Typically, the device that provides an internal non-routable IP address (DHCP) or the device that serves as your default gateway is also where you configure public DNS servers.

Step 2 – Log Into the Server or Router Where DNS is Configured

  1. Log into the server or router where the DNS settings are configured.
  2. Locate the DNS settings for this device. If you are unsure of where these settings are and require guidance on configuring a server or router, see Step 3 – Change Your DNS Server Addresses.

Step 3 – Change Your DNS Server Addresses

Before you change your DNS settings to use Secure Access, record the current DNS server addresses or settings (for example, write them down on a piece of paper). Retain a copy of these DNS settings in case you need to revert to them at a later date.

Some ISPs hard-code their DNS servers into the equipment they provide. If you are using such a device, you can not configure it to use Secure Access. Instead, you can configure each of your computers by installing the Cisco Secure Client or configuring the DNS server addresses on each computer. For more information about configuring a Windows, macOS, or Linux computer, see Computer Configuration.

The process for changing your DNS settings varies according to the operating system and version (Windows, Mac, or Linux) or the device (DNS server, router, or mobile device). This procedure might not apply to your OS, router, or device. For authoritative information, see the vendor documentation.

To change your settings on a typical router:

  1. In your browser, enter the IP address to access the router's user interface and enter your password.
  2. Find the area of configuration in which DNS server settings are specified and replace those addresses with the Cisco Secure Access IP addresses.
IPv4IPv6
208.67.222.2222620:119:35::35
208.67.220.2202620:119:53::53

Primary and Secondary Servers

You can use either an IPv4 or IPv6 DNS address as your primary or secondary DNS server. You must use both numbers and not the same IP address twice. If your router requires a third or fourth DNS server setting, you can use 208.67.220.222 and 208.67.222.220 or 2620:119:35::35 and 2620:119:53::53 as the third and fourth entry respectively.

  1. Save your changes and exit your router's user interface.
  2. Flush your DNS cache.
  3. Confirm that your DNS is set as static.
  4. Test that your setup is working correctly. See Step 4 – Test Your New DNS Settings.

Tip: When you make changes to DNS, you may have cached results that affect service. Flush your DNS cache to ensure that you’re receiving only the latest DNS results. For information on how to flush your DNS cache, see Clear Your DNS Cache.

Note: Email servers have unique DNS configurations. We don't recommend that you configure your email servers to point to Secure Access DNS.

Step 4 – Test Your New DNS Settings

If you have trouble getting web pages to load, contact Cisco Support at https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html.


Add Network Resources < Point Your DNS to Secure Access > Clear Your DNS Cache