Preventing Users Bypassing the Service

When you sign up, you’ll receive an email asking for subnet information. Shortly after submitting this, you’ll receive another email that contains your assigned Umbra Secure DNS server addresses. You need to choose which service you want from the three available, which should leave you with a pair of servers;
Primary, which we’ll call x.x.x.x
Secondary, which we’ll call y.y.y.y

You may want to take steps to prevent users trying to bypass our DNS servers. Depending on how your network is configured, you have a few options.

Firewall Rules

The simplest way is to set up a few firewall rules to prevent traffic reaching other DNS servers. How your firewall is configured will vary (but we’re happy to help). For example;

ALLOW tcp/udp from LOCAL SUBNETS to x.x.x.x on port 53 AND port 853
ALLOW tcp/udp from LOCAL SUBNETS to y.y.y.y on port 53 AND port 853
DROP tcp/udp from LOCAL SUBNETS to * on port 53 AND port 853

You could also NAT DNS traffic so it always ends up at our servers. Doing this may prevent users from realising their traffic is being filtered at all.

If you have an Active Directory environment, you could set up Group Policy to disallow users from changing their network or DNS settings.

Ideally, you’d combine these strategies.

A note on DoH: We respond with NXDOMAIN to any queries directed to, which will prevent web browsers from opportunistically using DoH. This does not prevent DoH from working if the user explicitly sets it, though. You may need to push browser related policies that disable DoH on user systems.