Overview:
If your Canaries are getting stuck during settings changes or updates, or if they're constantly dropping offline, it's likely that their DNS tunneling channel is being filtered or affected by a network security solution.
In this article we'll cover how to exempt your Canaries from filtering applied by Cisco Umbrella.
Step 1: How to check if your Canary traffic is being filtered.
To check if your umbrella policies are affecting Canary traffic, head over to "Activity Search", then search for the "*.cnr.io" wildcard domain. This should show all your Canaries traffic, and you can further filter by "Blocked" to see the reason. (Usually blocked as "DNS Tunneling VPN".)
We find that this is caused by a heuristic block by Umbrella, and may not be detected immediately after your first deployment.
Step 2: Exclude the Canary communication domain from filtering.
To exempt your Canaries from filtering, head over to "Policies", then "Destination Lists". Here you'll want to append the "cnr.io" domain to your Global Allow list. Don't forget to hit "Save" when you're done.
While you're here, it's worth exempting the "o3n.io" Canarytoken domain as well.
Checking the activity logs now, we'll see the queries are being allowed.