When Cisco Umbrella fails open, who's protecting your users?
.jpg)
Security tools have a quiet failure mode that rarely makes the sales deck: what happens when they cannot do their job. For a DNS-layer filter like Cisco Umbrella, the uncomfortable answer is often that traffic keeps flowing while protection lapses. DNS is designed to resolve, and when resolution or policy enforcement falters, the safe-for-availability behavior tends to be to let the request through. That is fine for keeping the internet working. It is not fine as a security posture. dope.security takes the opposite stance: enforcement runs on the device, stays on with cached policies, and does not depend on a lookup succeeding somewhere else.
Answer snippet: When Cisco Umbrella cannot enforce, DNS-layer filtering tends to fail toward availability, letting requests through while protection lapses. dope.security is the agent-based replacement that enforces on the device with cached-policy fallback, so security stays on even when connectivity or a remote service does not. It also inspects what DNS never can: URL paths, encrypted content, in-app actions, and AI prompts.
What "fail open" actually means
Fail open is the design choice to keep traffic flowing when a control cannot make a confident decision. DNS-based filtering leans this way for a practical reason: if name resolution breaks, the internet breaks, so the system is biased toward resolving. The result is that a range of conditions, a resolver problem, a roaming client that is not active on a given network, a policy that did not reach the device, can leave users connected but unprotected. Nobody gets an error. The page loads. The only thing missing is the security, and missing security is invisible until it is not.
This is not a knock on DNS as a technology. It is a statement about where enforcement should live. If your protection depends on a lookup being intercepted and evaluated correctly every time, you have built your security on the most availability-biased layer of the stack.
Enforcement belongs on the device
dope.security runs enforcement in the dope.endpoint agent on the device itself. SSL inspection, URL filtering, Cloud Application Control, anti-malware, and Dopamine DLP all execute locally. Policy is pushed from dope.console in seconds, and critically, the agent keeps a cached copy. If connectivity drops or the management plane is briefly unreachable, enforcement continues against the cached policy. The device does not quietly revert to wide-open. It keeps doing its job. That is a fail-safe posture rather than a fail-open one, and for a control whose entire purpose is to be there when something goes wrong, the distinction is the whole point.
Off-network is where DNS coverage gets thin
Cisco Umbrella's strongest position is on a network whose resolvers you point at it. The roaming client extends coverage to devices off that network, but it introduces exactly the conditions where gaps appear: the client has to be installed, active, and functioning on whatever network the user joined, and DNS-layer enforcement still only sees the domain. A laptop on a hotel network with a captive portal, a device mid-handoff between networks, a user whose roaming client has hit a snag, these are everyday situations, and they are precisely when a DNS-first model is most likely to let requests through unexamined. Because dope.security enforces on the device regardless of the network underneath, none of those situations creates a coverage hole.
Even when DNS works perfectly, it is half-blind
Set aside availability for a moment. Even when Umbrella is functioning exactly as designed, it sees the domain and not the rest. It cannot read the URL path, so it cannot tell a clean page from a malicious one on the same trusted domain. It cannot inspect TLS-encrypted content, which is almost all content now. It cannot see the action a user takes inside a sanctioned app, the file they upload, or the prompt they paste into an AI tool. dope.security inspects all of it on the device. The reliability argument and the visibility argument point the same way: enforcement at the endpoint sees more and stays on more.
Bypass is easier than admins assume
Fail-open is not only about service disruption. It is also about how trivially DNS-based enforcement can be sidestepped, sometimes by users who are not even trying to be malicious. A device configured to use a different resolver, an application that ships its own DNS-over-HTTPS, or a network that hijacks DNS can all route around a DNS filter. Encrypted DNS in particular has become a default in many browsers and operating systems, and when a client resolves names over an encrypted channel to a public resolver, a traditional DNS filter never sees the query at all. The protection did not fail loudly; it was simply never in the path. dope.security does not depend on owning the resolver. It enforces in the request path on the device, so changing DNS settings or using encrypted DNS does not create a gap. The control is anchored to the endpoint, not to a network behavior a user or an app can quietly change.
This is the practical heart of the reliability argument. A control you can route around by flipping a setting is a control you cannot fully trust to be present. Endpoint enforcement removes that class of bypass because there is no upstream lookup to redirect.
Enforcement that survives bad days
The scenarios where security matters most are the messy ones: a user on an unstable connection, a device that just changed networks, a brief outage in a cloud service, an employee traveling through a region with aggressive network interference. These are precisely the moments a fail-open, lookup-dependent model is most likely to lapse, and precisely the moments an attacker or an accidental leak is most likely to slip through. dope.security is designed for the bad day. Enforcement runs on the device against cached policy, so a connectivity problem does not become a security problem. SSL inspection, URL filtering, Cloud Application Control, and Dopamine DLP keep operating locally whether or not the management plane is reachable at that instant. The control is built to be present when conditions are worst, which is the only time the question of fail-open versus fail-safe actually matters.
What "always on" buys a security team
For the people who run security, the value of fail-safe enforcement is not abstract. It is the elimination of an entire category of uncertainty. You do not have to wonder whether enforcement was active during a given window, you do not have to reconstruct lookup success from logs after an incident, and you do not have to caveat your coverage claims with "assuming the roaming client was working." On-device enforcement with cached fallback gives you a defensible, consistent posture you can attest to. In a world where boards, auditors, and cyber insurers all want evidence that controls were actually operating, "it runs on every device and stays on" is a far stronger statement than "it usually resolves through our filter." That confidence is worth as much as any single feature on the comparison sheet.
DNS-layer filtering vs endpoint SWG
| Capability | DNS layer (Cisco Umbrella) | Endpoint SWG (dope.security) |
|---|---|---|
| Failure behavior | Tends to fail open | Cached-policy fallback, stays on |
| URL path visibility | Domain only | Full URL and path |
| TLS inspection | No (without backhauled proxy) | On-device |
| In-app action control | No | Yes, Cloud Application Control |
| File upload / DLP | No | Dopamine DLP, zero-retention |
| AI prompt inspection | No | Yes, on the device |
| Off-network coverage | Depends on roaming client | Always on, any network |
| Single-console operation | Part of broader Cisco stack | One console, instant policy |
The operational cost of silent gaps
Fail-open gaps are expensive precisely because they are quiet. A control that throws errors gets fixed. A control that silently stops protecting while everything appears normal does not generate a ticket, so the exposure can persist for days. Security teams end up auditing whether enforcement was actually active during an incident window, which is a miserable forensic exercise. dope.security's on-device, cached enforcement removes that ambiguity. Policy is applied on the device, every time, and you are not reconstructing after the fact whether a lookup somewhere succeeded.
Migrating to fail-safe enforcement
Moving from Umbrella to dope.security is a phased MDM rollout, not a forklift. You push the dope.endpoint agent to a pilot group, confirm policies in dope.console, and expand. One Cisco Umbrella customer migrated 2,000 machines in two days. Greylock Partners replaced a legacy DNS-and-proxy setup and closed in 27 days. Throughout the transition, the cached-policy model means devices are never left in a fail-open state. You are trading an availability-biased control for one that is designed to keep protecting when conditions are bad, which is exactly when you need it.
Does Cisco Umbrella fail open?
DNS-layer filtering, including Cisco Umbrella's core model, is biased toward availability, so when resolution or enforcement is disrupted, traffic tends to continue while protection lapses. The roaming client and SIG proxy add coverage but introduce more conditions where gaps can appear. dope.security enforces on the device with cached-policy fallback, so protection stays active even when connectivity or a remote service is unavailable.
Layering, not just replacing
Some teams will keep a DNS filter as a fast first layer and that is a reasonable choice; broad domain blocking is cheap insurance against obvious threats. The mistake is mistaking that first layer for the whole defense. Defense in depth means each layer should cover what the others cannot, and a DNS filter and an endpoint SWG are complementary in exactly that way: DNS catches some known-bad lookups early, and the endpoint SWG catches everything DNS structurally misses, while staying on when DNS fails open. The point of this piece is not that domain filtering is useless. It is that no availability-biased, domain-only control should be the layer your security posture actually rests on. Put the enforcement you depend on where it cannot quietly disappear, on the device, and treat DNS filtering as the lightweight extra it has always been rather than the foundation it was never built to be.
Keep protection on when it matters most
A security control should be most reliable exactly when things are going wrong. DNS filtering is built to do the opposite. dope.security enforces on the device and stays on. Start a free trial or book a 20-minute demo. For more, read whether DNS filtering is enough, our piece on moving beyond DNS filtering to an endpoint SWG, and what Cisco Umbrella cannot see.
.jpg)
.jpg)
.jpg)
