Can Users Bypass Cisco Umbrella With Encrypted DNS? Why an Endpoint SWG Closes the Gap
.jpg)
Cisco Umbrella works by being your DNS resolver. Every name lookup goes to Umbrella, which decides whether the domain is allowed. That model has a quiet problem in 2026: browsers and operating systems can now do their own encrypted DNS, DNS over HTTPS, and route lookups straight past your resolver. When that happens, Umbrella does not block the request. It never sees it.
Short answer: Yes, users can bypass Cisco Umbrella with encrypted DNS, because Umbrella enforces at the DNS layer and DoH moves the lookup somewhere it cannot inspect. dope.security closes that gap with an agent-based endpoint secure web gateway that inspects traffic on the device after decryption, so enforcement does not depend on owning the resolver.
How encrypted DNS routes around the resolver
Traditional DNS is plaintext and goes to whatever resolver the network or device is configured to use. Umbrella relies on being that resolver. DNS over HTTPS changes the picture: the browser encrypts the lookup and sends it to its own DoH provider over port 443, looking like ordinary web traffic. The network, and Umbrella, see an HTTPS connection, not a DNS query they can read or filter. Some browsers enable this by default, and a user can flip it on in settings. The moment they do, DNS-layer filtering is out of the loop. This is a sharper version of the broader point we make in whether DNS filtering is enough.
Umbrella has mitigations, and they are partial
Cisco knows about DoH. The roaming client can try to disable or steer browser DoH, and you can push browser policies to turn it off. But this is a game of suppressing every bypass path on every browser and OS, forever, including the ones users install themselves. It is fragile by design, because the enforcement point assumes it owns name resolution. We covered the related visibility gaps in Cisco Umbrella DNS filtering versus HTTPS inspection and in what Cisco Umbrella cannot see.
Why the endpoint is the durable enforcement point
An agent-based endpoint secure web gateway does not depend on being the resolver. dope.security inspects the actual web connection on the device, after TLS decryption, regardless of how the name was resolved. If the browser used DoH, it does not matter, because enforcement happens on the request itself, not on the lookup that preceded it. That is the structural reason an endpoint SWG is not bypassed by encrypted DNS. We make the broader case in going beyond DNS filtering to an endpoint SWG and in Cisco Umbrella SIG versus an endpoint SWG.
| Control | Cisco Umbrella (DNS layer) | dope.security (endpoint SWG) |
|---|---|---|
| Survives browser DoH / encrypted DNS | No, lookup routes around it | Yes, enforces on the request |
| Full URL path visibility | No | Yes |
| TLS inspection | Only via proxy tier | On the device |
| In-app action control | No | Yes |
| File upload and DLP | No | Dopamine DLP |
| AI prompt inspection | No | Yes |
| Off-network coverage | Roaming client | Agent, anywhere |
This is not a one-off trick, it is the trend
Encrypted DNS is becoming the default, not the exception. Browsers ship it on, privacy guidance encourages it, and operating systems are adding native support. A security model that depends on intercepting plaintext DNS is fighting the direction the whole web is moving. An endpoint model that inspects the request itself is aligned with it. The same logic explains why DNS cannot govern AI: even if you allow the domain, you cannot see the prompt, which is why real AI governance needs on-device inspection and tenant control through Cloud Application Control and Dopamine DLP. For data at rest, CASB Neural covers the SaaS side.
Proof: DNS-only missed the real traffic
Greylock Partners left Cisco Umbrella for dope.security in part because DNS-only filtering missed HTTPS traffic and the proxy option still backhauled through Cisco data centers. They went from first proposal to signed contract in 27 days, detailed in the Greylock customer story. It is the same gap encrypted DNS widens: the lookup is not where the risk lives.
Is DNS filtering bypassable, and what fixes it?
Can users bypass Cisco Umbrella with DoH? Yes. If a browser or OS uses DNS over HTTPS to its own provider, the lookup does not reach Umbrella, so Umbrella cannot filter it. Mitigations exist but require suppressing every bypass path everywhere.
Why does an endpoint SWG not have this problem? Because it enforces on the web request on the device after TLS decryption, not on the DNS lookup. How the name was resolved is irrelevant to enforcement.
Is DNS filtering useless then? No, it is a fine first coarse layer. It is just not sufficient on its own, and encrypted DNS makes that clearer every quarter.
If your filtering can be turned off by a browser setting, it is time to move enforcement to the device. See how Fly Direct secure web gateway works and book a 20-minute demo.
.jpg)
.jpeg)
