Pi-hole → Cisco Umbrella
Pi-hole ↔ Cisco Umbrella: integration to migration path.
DNS is load-bearing — break LAN resolution and nothing on the network finds anything. So Pi-hole goes live behind Cisco Umbrella first, resolving alongside it while Umbrella keeps validating every query, and only takes over the LAN one VLAN at a time. No flag day, no forced re-credentialing, and every phase rolls back in minutes.
The honest end state is partial: laptops off-LAN stay on Cisco Secure Client permanently. We replace Umbrella on the LAN, not everywhere — and we say so up front, because the rest of this only matters if you can trust it.
The idea
Resolve behind Umbrella first. Retire it from the LAN last.
The topology that makes this zero-downtime is split-horizon forwarding: Pi-hole becomes the authoritative LAN resolver via DHCP option 6, answers its own blocklist hits locally, and forwards everything else upstream to Umbrella anycast — so it becomes your LAN front door without changing how a single query is ultimately resolved. Conditional forwarders send internal zones straight to your AD domain controllers. Umbrella keeps owning recursion and its verdict while Pi-hole quietly takes over LAN policy and per-client visibility, then we cut the upstream to a recursive unbound and deregister the LAN — each layer independently, each reversible.
The phases
Six steps. Each one reversible.
Baseline & inventory
We read your current posture: per-VLAN DHCP target, every site's egress IP registered in Umbrella, Roaming Client coverage, internal zones, and your top-1000 domains mapped against their Umbrella verdict over 30 days. Read-only.
Pi-hole goes live behind Umbrella
A Pi-hole HA pair (keepalived VRRP, shared VIP) stands up on a canary VLAN with blocklists deliberately empty. Umbrella anycast stays the upstream, so every query still resolves and gets the Umbrella verdict it always did.
Enable blocklists; compare verdicts
OISD, Hagezi pro + TIF, StevenBlack and NRD feeds load into Pi-hole, tagged into category-equivalent groups. A SIEM dashboard joins Pi-hole and Umbrella verdicts so we tune for over-block and under-block before we expand.
Expand to every LAN VLAN
Every corporate VLAN moves to Pi-hole HA pairs as its DHCP resolver, rolled out site by site in waves from small to large. Umbrella stays the upstream and each site keeps its own Umbrella Network identity for per-site reporting.
Cut upstream to recursive unbound
Pi-hole's upstream moves from Umbrella anycast to a local recursive unbound resolving from root hints, with Umbrella kept as a secondary fallback. Umbrella leaves the LAN DNS path. Roaming laptops still use Cisco Secure Client off-LAN.
Partial retirement
LAN-egress IPs are deregistered from Umbrella Networks in waves and the LAN spend drops to a roaming-only posture. The Umbrella tenant stays for Cisco Secure Client roaming — the permanent steady state for hybrid orgs. We hold the deregistration through a soak before it is final.
Feature parity
Where Pi-hole matches Umbrella, and where it does not.
| Capability | Pi-hole | Cisco Umbrella | Parity |
|---|---|---|---|
| DNS blocking / sinkhole | Pi-hole gravity: NXDOMAIN or 0.0.0.0 sinkhole via FTL | Umbrella deny to a vendor sinkhole or block page | At parity |
| Blocklist sources | gravity.db from arbitrary URLs (OISD, Hagezi pro+TIF, 1Hosts, StevenBlack, MISP, NRD) | Vendor-curated, opaque to the operator | Partial |
| Category taxonomy | Provenance-based group tags (oss-malware, oss-nrd) | Roughly 80 content plus 60 security categories | SaaS only |
| Regex blacklist | regex_blacklist (PCRE) on the query name | Custom destination lists support wildcards, not regex | OSS only |
| Encrypted DNS (DoH / DoT / DoQ) | DoH/DoT via an unbound or cloudflared sidecar; no native DoQ | Umbrella DoH; DNSCrypt via the Virtual Appliance | Partial |
| Roaming / off-network client | None native (Tailscale or AdGuard profile workaround) | Cisco Secure Client roaming module, always-on DNS | SaaS only |
| Per-user (SAML) policy | Groups by MAC, IP or hostname only | Umbrella SAML identity (Entra / Okta federation) | SaaS only |
| Passive-DNS / threat intel | None | Umbrella Investigate (passive DNS, WHOIS, co-occurrence) | SaaS only |
| Logging / reporting | FTL SQLite queries + network tables; MAXDBDAYS retention | Reporting v2 REST plus hourly S3 export; ~30-day API retention | Partial |
| API surface | Pi-hole v6 REST API (app-password auth) | Umbrella Reporting / Management API (OAuth2 client-creds) | At parity |
| Deployment & HA | keepalived VRRP plus gravity-sync; BGP /32 for multi-site | Umbrella anycast plus Virtual Appliance HA pair, vendor-managed | Partial |
| Cost model | Self-hosted compute plus ops | Per-seat / per-MAU licensing | Partial |
| Compliance (SOC 2 / BAA) | Self-owned runbook and controls; auditor must accept | SOC 2 / HITRUST / BAA paper trail inherited from Cisco | SaaS only |
What we're honest about
The caveats most vendors leave out.
No passive-DNS intel or Talos SOC
Umbrella Investigate's passive-DNS, WHOIS and co-occurrence pivots have no OSS equivalent, and neither does the bundled 24×7 Talos research. If your SOC pivots on Investigate weekly, keep a cheap Investigate seat indefinitely or budget a paid substitute like VirusTotal Intelligence plus DomainTools — none are free. We budget the labour honestly rather than pretend the gap away.
Roaming and per-user policy stay on Umbrella
Pi-hole has no native always-on roaming client and no SAML-bound per-user policy — it identifies clients by MAC, IP or hostname. That is exactly why the recommended end state is partial: laptops off-LAN keep Cisco Secure Client, and per-user DNS policy stays with Umbrella for that surface. The retirement target is the LAN, not the whole tenant.
Vendor categories become provenance lists
Umbrella ships roughly 80 content and 60 security categories with an SLA; Pi-hole's taxonomy is provenance-based — "OISD said no" rather than "Umbrella categorised this as Cryptomining." We approximate categories by stacking tagged feeds per group, and gate Phase 3 on a verdict-disagreement bar of 3% false positives and 1% false negatives so the OSS lists actually match what Umbrella was doing.
Self-hosting means you own uptime and compliance
Once the LAN is off Umbrella, Pi-hole being down means LAN DNS is down — no managed backstop — and your auditor inherits a self-hosted DNS surface instead of Cisco's SOC 2 / HITRUST / BAA paper trail. We run keepalived HA per site, an unbound fallback, a tested DR restore, and bring the auditor in at Phase 0 to accept the new evidence packet before anything is deregistered.
Why this beats a flag day
Reversible at every step, with a real soak before anything is cut.
Every phase rolls back in under 15 minutes while the parallel path is live — a DHCP option 6 revert, an upstream flip, or a blocklist disable, never a rebuild. And before the Umbrella LAN spend is cancelled, the partial retirement holds through a soak of at least 30 days at steady state with no verdict-disagreement regression and Roaming Client coverage unchanged. A flag day gives you neither; this gives you both.
See whether your LAN DNS migrates cleanly.
A 30-minute call with a senior network engineer. We map your VLANs, register sites, and roaming coverage, find where OSS blocklists match Umbrella's categories (and where they can't), and tell you honestly what the path off the LAN looks like — before you commit to anything.
Map my migration →