1. A User makes a request to a website on the internet which results in a DNS request for the websites domain being sent to Umbrella.
2. Umbrella analyses the request to determine whether the domain that the user is trying to access is malicious or safe. If the domain is deemed as safe, Umbrella responds with the IP address of the domain.
3. The Users device then connects directly to the requested domain as normal.
4. If Umbrella determines that the domain is unsafe to visit, Umbrella responds with the IP address of its Block page, preventing the User from ever connecting to the malicious domain. The same applies to already infected machines that might be trying to call back to these malicious domains.