About DNSWatch on the Firebox

Applies To: DNSWatch in WatchGuard Cloud

This feature is only available to participants in the WatchGuard Cloud Beta program.

References to DNSWatch in this topic relate to DNSWatch in WatchGuard Cloud. To learn about the legacy DNSWatch UI, go to About WatchGuard DNSWatch in Fireware Help.

When DNSWatch is enabled and your Firebox receives a DNS query from a host, it sends the request to DNSWatch. DNSWatch determines whether the domain is a known threat. If a content filtering policy is assigned to the Firebox, DNSWatch also determines if a domain is filtered.

If the domain is not a known threat or filtered, DNSWatch returns the requested content.

If the domain is a known threat:

  • DNSWatch returns the DNSWatch Blackhole content
  • DNSWatch tries to gather more information about the threat from the endpoint that made the DNS request
  • For HTTP and HTTPS requests, DNSWatch redirects the user to a customizable security block page

If the domain is filtered content:

  • DNSWatch redirects the user to a customizable content filtering block page

For more information about block pages, go to About the Block Pages for DNSWatch in WatchGuard Cloud.

When you enable DNSWatch on your locally-managed Firebox, you choose whether to enable usage enforcement. When usage enforcement is enabled, the Firebox redirects all outbound DNS requests on port 53 to DNSWatch, regardless of whether the DNS request is addressed to a specific DNS server. For more information about usage enforcement options, go to Enable DNSWatch on Your Firebox.

DNSWatch takes precedence over some DNS settings in your Firebox configuration. If your network includes a local DNS server, make sure you understand DNS settings precedence before you enable enforcement. For more information, go to Precedence for DNSWatch in WatchGuard Cloud and a Firebox.

Firebox Log Messages for the DNSWatch Block Page

The Firebox treats connections to the DNSWatch security block page as trusted host connections. When the Firebox allows a connection to the block page, it writes a log message that includes this text:

ProxyDeny: HTTP DNSWatch blackholed domain

Related Topics

Enable DNSWatch on Your Firebox

Troubleshoot DNSWatch on a Locally-Managed Firebox

About DNSWatch in WatchGuard Cloud