Cisco Umbrella and Encrypted Client Hello: The DNS Blind Spot Coming in 2026

The signal Cisco Umbrella reads is about to disappear

Here is the uncomfortable part of running DNS-layer filtering in 2026. Cisco Umbrella decides what to allow or block by reading the destination of a request before the connection is encrypted. Encrypted Client Hello, the browser change now rolling out across Chrome, Firefox, and Edge, hides exactly that signal. When the destination is encrypted, a DNS-tier tool sees a lookup happen and then goes quiet for the rest of the session. The thesis of this post is simple and testable: as Encrypted Client Hello spreads, Cisco Umbrella loses visibility precisely where on-device SSL inspection keeps it, because the only place left to read the destination is on the device itself. If you are weighing this gap seriously, start with the complete guide to replacing Cisco Umbrella in 2026, then come back here for the encryption detail.

dope.security is the modern, agent-based replacement built for this exact shift. The proxy runs on the endpoint, so it sees the full request, inspects the TLS session locally, and enforces policy whether or not the destination was ever exposed in cleartext. No backhauling. No reliance on a plaintext field that browsers are actively removing.

This is not a theoretical worry for some future internet. The change is shipping now, and it quietly erases the foundation DNS filtering was sold on.

What Encrypted Client Hello actually changes

When a browser opens a secure connection, it used to send the destination hostname in the clear inside the TLS handshake, in a field called Server Name Indication. Network-tier and DNS-adjacent tools leaned on that field, plus the DNS query itself, to know where you were going. Encrypted Client Hello wraps that handshake so the hostname is no longer readable in transit.

Cisco Umbrella's core enforcement model is DNS resolution. It answers the lookup, applies a category or block decision at that moment, and then the encrypted session proceeds without further inspection unless you route traffic through the Secure Internet Gateway proxy. Once Encrypted Client Hello is in play, even the supporting signals that DNS filtering relied on get thinner. The lookup may resolve to a shared content delivery network address used by thousands of domains, and the cleartext hostname that used to disambiguate it is gone.

The result is a filter making decisions on less and less information. We covered the encrypted DNS version of this problem in our breakdown of how DNS over HTTPS bypasses Cisco Umbrella. Encrypted Client Hello is the next layer of the same trend: the network is going dark, on purpose, and DNS filtering has no answer for it.

Why on-device inspection is the only place left to look

If the destination is encrypted everywhere in transit, there is exactly one location where it is still readable in cleartext: the device that originated the request. The browser knows where it is going. The operating system knows. An agent running on that endpoint can see the real destination, inspect the TLS session locally, classify the content, and apply policy before a single byte leaves.

That is the dope.security model. The Fly Direct Secure Web Gateway performs SSL inspection on the endpoint, not in a data center and not at the DNS resolver. Encrypted Client Hello does not blind it, because the agent sits on the same side of the encryption as the user. The destination is never hidden from the place that is actually doing the work.

This is the difference between reading a signal in transit, which browsers are removing, and reading it at the source, which no encryption standard takes away. For a deeper look at the mechanics, see our piece on on-device TLS inspection.

DNS layer versus endpoint SWG: what each can still see

Here is the capability gap in plain terms once Encrypted Client Hello is the default.

The takeaway: encryption that hides destinations in transit does not hide them from an agent running where the request begins.

The SIG proxy upgrade reintroduces the problem you left

Cisco's answer to DNS blind spots is the Secure Internet Gateway, which adds a full proxy. That moves inspection off the device and into Cisco's data centers, which means traffic gets steered, backhauled, and decrypted somewhere far from the user. You trade a visibility gap for a latency and routing tax. We walked through the limits of that path in Cisco Umbrella SIG and its TLS inspection limits.

The agent-based model avoids the trade entirely. Inspection happens locally, so you get full TLS visibility without sending every request on a detour. That is the whole point of Fly Direct: the security runs where the user is, not in a building three states away.

Three things you lose when the destination encrypts

The visibility gap is not abstract. It shows up in three concrete places that security teams feel within weeks of a browser update wave.

The first is accurate reporting. DNS logs have always been a coarse record, a list of domains resolved with no detail on what happened next. As Encrypted Client Hello and shared infrastructure blur which site a lookup actually reached, those logs get coarser still. You end up with reports that say a category was touched, not which destination, not which user action, not whether anything sensitive moved. When a board or an auditor asks what your web control actually saw last quarter, "a domain was resolved" is a thin answer.

The second is enforcement on sanctioned SaaS. Once a user reaches an approved domain, DNS filtering is done; it resolved the name and stepped aside. It cannot tell a corporate tenant from a personal one on the same domain, and it cannot see a file being uploaded into either. That is the gap we covered in Cisco Umbrella DNS filtering versus HTTPS inspection, and Encrypted Client Hello only widens it. An on-device proxy applies tenant-level Cloud Application Control and inspects the upload, because it is reading the session, not the lookup.

The third is data loss prevention. A domain name tells you nothing about a payload. If an employee pastes a customer list into a personal AI tool or uploads a contract to a personal drive, DNS sees a benign domain and waves it through. Dopamine DLP inspects data in motion on the device and classifies it before it leaves, with zero-retention APIs. You can read how the endpoint DLP model works on the Fly Direct Secure Web Gateway page. None of this is reachable from the DNS tier, with or without encryption.

What this means for the buyer evaluating a switch

If you are still running Cisco Umbrella as your primary web control, Encrypted Client Hello is a reason to move the timeline up, not a reason to wait. Every browser update pushes more of your traffic into the encrypted dark, and a DNS filter cannot follow it there. The teams that already made the call did it fast. Greylock Partners moved off Cisco Umbrella to dope.security and went from first proposal to signed contract in 27 days, in part because DNS-only filtering was missing HTTPS traffic their distributed team relied on. Read how Greylock Partners ditched Cisco Umbrella for the full story.

The architectural questions are the same ones we raised in is DNS filtering enough in 2026 and beyond DNS filtering with an endpoint SWG. Encrypted Client Hello just makes the answer sharper. When the network goes quiet, you need a control that was never listening to the network in the first place.

Frequently asked questions

Does Encrypted Client Hello break DNS filtering?

It breaks the part of DNS filtering that depended on reading the destination hostname in transit. Encrypted Client Hello hides the Server Name Indication field, so tools like Cisco Umbrella that classify destinations at the network or DNS tier lose a signal they relied on. An on-device Secure Web Gateway is not affected, because it reads the destination on the endpoint before the session is encrypted.

Can Cisco Umbrella still block sites after Encrypted Client Hello rolls out?

It can still block at the DNS resolution step for domains that resolve to dedicated addresses, but its decisions get less precise as shared infrastructure and encrypted handshakes hide which specific site a user is reaching. Once a destination is encrypted in transit, DNS filtering cannot inspect what happens inside that session.

What is the best alternative to Cisco Umbrella for encrypted traffic?

An agent-based Secure Web Gateway that inspects TLS on the device, such as dope.security. Because the proxy runs on the endpoint, Encrypted Client Hello does not blind it, and you also gain content inspection, tenant-level Cloud Application Control, and Dopamine DLP that DNS filtering never provided.

Stop filtering a signal that is disappearing

To restate the thesis in plain terms: DNS filtering reads where you are going from the network, and the network is going dark. Encrypted Client Hello removes the last cleartext clue Cisco Umbrella leaned on, and the only place the destination stays visible is the device. A category decision made at the resolver was always a guess about what came next; now even the guess is getting worse, because the inputs that fed it are being encrypted out of reach. The architecture that survives this is the one that never depended on the network seeing the destination in the first place.

dope.security runs the proxy on the endpoint, inspects locally, and keeps enforcing policy while DNS-tier tools squint at an encrypted blur. If you want the full migration path off DNS-layer filtering, the complete guide to replacing Cisco Umbrella in 2026 covers architecture, rollout, and what to expect. Then book a 20-minute demo and watch on-device inspection handle the traffic your DNS filter can no longer read.