Enable DNSWatch on Your Firebox

Applies To: DNSWatch in WatchGuard Cloud

This feature is only available to participants in the WatchGuard Cloud Beta program.

References to DNSWatch in this topic relate to DNSWatch in WatchGuard Cloud. To learn about the legacy DNSWatch UI, go to About WatchGuard DNSWatch in Fireware Help.

DNSWatch is a subscription service available with the Total Security Suite. Before you can enable DNSWatch on your Firebox you must have the DNSWatch subscription service enabled in the feature key.

Enable DNSWatch on a Cloud-Managed Firebox

When DNSWatch is enabled on a cloud-managed Firebox and the Firebox receives a DNS query, it uses DNSWatch as the DNS resolver. If the requested domain is filtered or blocked in the DNSWatch configuration, DNSWatch returns a block page instead of the requested content.

  1. In the Networking section on the Device Configuration page for the Firebox, click the DNS widget.
    The DNS configuration page opens.
  2. Select the DNSWatch tab.
  3. Enable DNSWatch.

Screen shot of the DNS configuration, DNSWatch tab

  1. Click Save.

Enable DNSWatch on a Locally-Managed Firebox

You can enable DNSWatch from Policy Manager, CLI, or Fireware Web UI. The registration status and the IP addresses of the DNSWatch DNS servers appear only in Fireware Web UI.

  1. Select Subscription Services > DNSWatch.

Screen shot of the DNSWatch settings in Fireware Web UI

  1. Select the Enable DNSWatch Service check box.
  2. From the Usage Enforcement drop-down list, select the enforcement option.
    The default option is Disable enforcement.
    If your network does not have a local DNS server, we recommend you change this to enable enforcement on some or all internal interfaces.
  3. If you selected Enforce on all Trusted, Optional and Custom interfaces, to select the interfaces for enforcement, click Select.
    The list of internal interfaces appears. By default, enforcement is enabled on all interfaces.

  1. Enforcement for all interfaces is enabled by default. To disable enforcement for an interface, clear the check box for that interface.
  2. Click OK.
  3. Click Save.
    The Firebox connects to the DNSWatch account where the Firebox was activated and registers the Firebox to your DNSWatch account. Registration status and IP addresses of DNSWatch DNS Servers appear on the DNSWatch configuration page.
  1. Select Subscription Services > DNSWatch.

Screen shot of the Threat Detection & Response page in Policy Manager

  1. Select the Enable DNSWatch check box.
  2. From the drop-down list, select the enforcement option.
    The default option is Disable enforcement.
    If your network does not have a local DNS server, we recommend you change this to enable enforcement on some or all internal interfaces.
  3. If you selected Enforce on all Trusted, Optional and Custom interfaces, click Select to select the interfaces for enforcement.
    The list of internal interfaces appears.

Screen shot of the Select Interfaces dialog box

  1. Enforcement for all interfaces is enabled by default. To disable enforcement for an interface, clear the check box for that interface.
  2. Click OK.
  3. Save the configuration to the Firebox.
    The Firebox connects to the DNSWatch account where the Firebox was activated and registers the Firebox to your DNSWatch account. Registration status and IP addresses of DNSWatch DNS Servers appear on the DNSWatch configuration page.

About DNSWatch Usage Enforcement Options on Locally-Managed Fireboxes

When you enable DNSWatch on a locally-managed Firebox, you must select a usage enforcement option. For each interface, enforcement can be Enabled or Disabled. The Usage Enforcement setting controls which outbound DNS requests the Firebox redirects to the DNSWatch DNS server.

  • Enabled — the Firebox redirects all outbound DNS requests from that interface to DNSWatch DNS servers.
  • Disabled — the Firebox redirects outbound DNS requests from that interface to DNSWatch DNS servers only when the DNS request is addressed to the Firebox.

When you enable DNSWatch on a locally-managed Firebox, you must select one of these enforcement options:

  • Enforce on all Trusted, Optional, and Custom interfaces
  • Enforce on selected interfaces
  • Disable enforcement

For most networks, we recommend that you enable enforcement on all interfaces.

Configuration Recommendations

DNSWatch interacts with other DNS settings on the Firebox. In most cases, it is not necessary to change your existing DNS configuration when you enable DNSWatch. Here are some specific recommendations:

Usage Enforcement

For most networks, we recommend that you enable DNSWatch enforcement on all interfaces. If you determine that DNSWatch causes problems with DNS resolution for a network client that must use a specific DNS server, disable usage enforcement for just the interface that client connects to. If you disable enforcement, it might be necessary for you to change other DNS settings.

If you disable enforcement for an interface, enable DNS forwarding for that interface in the Firebox Network DNS settings. When DNS forwarding is enabled, and the Firebox is configured as a DHCP server, the Firebox sends its own IP address to DHCP clients as the DNS server IP address. The Firebox forwards outbound DNS requests addressed to the Firebox to DNSWatch DNS servers.

Network (Global) DNS Servers

If your network has an internal DNS server, make sure that the internal DNS server appears first in the network (global) DNS settings. The Firebox uses the global DNS servers for DNS queries that cannot be resolved by the DNSWatch DNS servers.

DNS Forwarding Rules

DNSWatch has DNS servers in multiple regions. DNSWatch sends the Firebox the IP addresses of DNSWatch DNS servers in the closest region.

Many WatchGuard products and services are hosted on regional servers. If enforcement is disabled on all interfaces, add DNS forwarding rules for these domains to make sure that the services resolve to servers in your local region:

  • watchguard.com
  • ctmail.com
  • rp.cloud.threatseeker.com

These DNS forwarding rules are not necessary when enforcement is enabled. When enforcement is enabled, DNSWatch does not send DNS requests for these domains to DNSWatch and instead uses a DNS server specified in the network DNS settings on the Firebox.

Local DNS Server

If you disable DNSWatch enforcement for the Firebox interface that your local DNS server connects to, configure the DNS server to use the Firebox interface IP address as the DNS server for DNS queries it cannot resolve. The Firebox then forwards outbound DNS queries it receives from the DNS server to DNSWatch DNS servers.

DNSWatch on a Firebox in Bridge Mode

You can enable DNSWatch on a Firebox configured in Bridge Mode. A Firebox in Bridge Mode has the same Usage Enforcement options as a Firebox configured in Mixed Routing Mode. The interface is named Global Bridge in the Protected Fireboxes interfaces list in DNSWatch.

A Firebox in Bridge Mode with DNSWatch enabled cannot resolve host names on local domains unless you create DNS forwarding rules for local domains.

The enforcement option you choose affects whether DNSWatch takes precedence over other DNS settings configured on your Firebox. For more information, go to Precedence for DNSWatch in WatchGuard Cloud and a Firebox.

Verify DNSWatch Status on the Firebox

After you enable DNSWatch on your Firebox, the registration status appears in Fireware Web UI on the Front Panel dashboard and on the DNSWatch configuration page. DNSWatch registration status is not available in Policy Manager.

To view the DNSWatch registration status, from Fireware Web UI:

  1. Log in to Fireware Web UI.
  2. Select Subscription Services > DNSWatch.

Screen shot of the DNSWatch configuration page with Registration Status and DNS Servers

The DNSWatch page shows the DNSWatch registration status of your Firebox and the IP addresses of the DNSWatch DNS servers.

  • Status — Indicates the status of DNSWatch. Status can be one of these values:
  • Disabled — DNSWatch is not enabled.
  • Registration pending — The Firebox registration is not yet complete.
  • Retrieving addresses — The Firebox is registered but has not yet received IP addresses from DNSWatch.
  • Operational — The Firebox has successfully registered and retrieved IP addresses.
  • Error — An error occurred.
  • Registration Date — Indicates the date and time when your Firebox successfully registered.
  • DNS Servers — The IP addresses of the DNSWatch DNS Servers the Firebox uses for DNS resolution.
  • Blackhole Servers — The IP addresses of the DNSWatch Blackhole Server. For more information, go to About the Blackhole Server for DNSWatch in WatchGuard Cloud.

DNSWatch status also appears in the Front Panel dashboard in Fireware Web UI and in the Front Panel tab in Firebox System Manager.

Related Topics

About DNSWatch in WatchGuard Cloud

Quick Start — Set Up DNSWatch in WatchGuard Cloud

Add a DNSWatch Configuration in WatchGuard Cloud