Applies To: DNSWatch in WatchGuard Cloud
This feature is only available to participants in the WatchGuard Cloud Beta program.
References to DNSWatch in this topic relate to DNSWatch in WatchGuard Cloud. To learn about the legacy DNSWatch UI, go to About WatchGuard DNSWatch in Fireware Help.
A key component of the WatchGuard DNSWatch solution is the Blackhole server. When DNSWatch resolvers receive a DNS request to a malicious domain, they return the IP address of the DNSWatch Blackhole server instead of the IP address of the requested domain. The Blackhole server collects data about the attempted connections to malicious domains from your accounts and Fireboxes. The Blackhole server also hosts the DNSWatch block pages that users see in the browser when DNSWatch denies HTTP or HTTPS connections.
Data Collection and Connection Analysis
The Blackhole server receives the connection intended for the malicious domain and attempts to collect information about the client. This includes information such as the private IP address, host name, and user name.
Connection Analysis
The DNSWatch Blackhole server accepts the connection that was intended for the malicious domain and collects NetFlow traffic data for analysis. DNSWatch parses the network protocols.
Connections
DNSWatch records the date and time of each attempted connection to the same blocked domain.
Block Pages
The Blackhole server also hosts the DNSWatch block pages that appear when DNSWatch blocks a malicious DNS request or blocks a request based on content filtering settings.
You can customize the text, style, and logo on these pages to meet the requirements of your organization. For more information, go to Manage the Block Pages for DNSWatch in WatchGuard Cloud.
By default, DNSWatch in WatchGuard Cloud blocks the suspicious.dnswatch.watchguard.com domain. This means that you can browse to this domain to view the security block page.
When a domain is filtered or blocked by the DNSWatch Global Domain Feed or the DNSWatch configuration, and is also blocked by WebBlocker, the DNSWatch security block page or content filter block page appears instead of a WebBlocker deny message.