WatchGuard DNSWatch Integration with DNS Override

Deployment Overview

This document describes the steps to integrate WatchGuard DNSWatch with DNS Override.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • DNS Override iOS Client version 1.5.0 (94)
  • Firebox with Fireware v12.3 or higher

Test Topology
test topy

DNSWatch Overview

DNSWatch is a cloud-based service that integrates with your Firebox. DNSWatch monitors DNS requests through the Firebox to prevent connections to known malicious domains. DNSWatch protects against malicious clickjacking and phishing domains regardless of the connection type, protocol or port.

You can integrate DNSWatch services on the Firebox with Wi-Fi Cloud to provide protection to your wireless clients that access your network through your access points. For more information on DNSWatch, see About DNSWatch.

About DNSWatch Enforcement

When you enable DNSWatch, you must select a usage enforcement option. For each Firebox interface, enforcement can be Enabled or Disabled. The Usage Enforcement setting controls which outbound DNS requests the Firebox redirects to the DNSWatch DNS server.

  • Enabled — the Firebox redirects all outbound DNS requests from that interface to DNSWatch DNS servers.
  • Disabled — the Firebox redirects outbound DNS requests from that interface to DNSWatch DNS servers only when the DNS request is addressed to the Firebox.

Configure DNSWatch on a Firebox

WatchGuard DNSWatch is a subscription service on your Firebox.

Before you can enable the DNSWatch feature and configure it on your Firebox, you must add a DNSWatch license to your Firebox feature key.

To enable DNSWatch on the Firebox:

  1. Log in to Fireware Web UI at https://<IP address of Firebox>:8080.
  2. Select Subscription Services > DNSWatch.
  3. Select the Enable DNSWatch Service check box.
  4. From the Usage Enforcement drop-down list, select the type of usage enforcement for your deployment.
  5. Click Save.
  6. Make sure the Firebox successfully obtains the IP addresses for the DNS Servers and Blackhole Servers.


Configure DNS Override

Configure DNS Override in your iOS device

  1. From the App Store, download and install DNS Override to your iOS device.
  2. On the DNS Servers page, click Add DNS profile.
    The Add DNS profile page appears.

Screen shot of WatchGuard Wi-Fi Cloud EPA-TLS VLAN assignment

  1. In the DNS server1 text box, type the first DNS server IP address from the DNSWatch page in Fireware Web UI.
  2. Click Add DNS server.
  3. In the DNS server 2 text box, type the second DNS server IP address from the DNSWatch page in Fireware Web UI.
  4. Click Done.
    The Main Menu page appears.

DNS Override

  1. From the Your DNS Profiles list, select DNSWatch.
    The DNSWatch Configure page appears.

DNS Override

  1. Click the DNS Override slider to enable it.

For more information about DNS Override,see

Test DNSWatch Integration with DNS Override

DNS Override can work without a Firebox if you have the IP address of the DNSWatch DNS server. This Integration uses the Firebox to confirm the IOS client device connects with the DNSWatch server.

To test the integration:

  1. On the iOS device, connect to the internet through a Wi-Fi access point protected by a Firebox. The default DNS IP address for the Firebox must not be a DNSWatch IP address.
  2. On the iOS device, browse the internet.
  3. Log in to Fireware Web UI.
  4. Select Dashboard > Front Panel>Top Destinations>View all.
  5. Confirm the IP addresses of the DNSWatch DNS servers are in the list several times.