About DNSWatch on the Firebox
When DNSWatch is enabled and your Firebox receives a DNS query from a host on a protected network, it sends the request to DNSWatch. DNSWatch determines whether the domain is a known threat. If a content filter policy is assigned to the Firebox, DNSWatch also determines if a domain is on the content filter list.
If the domain is not a known threat or filtered content, DNSWatch returns the requested content.
If the domain is a known threat:
- DNSWatch returns the DNSWatch Blackhole content
- DNSWatch tries to gather more information about the threat from the endpoint that made the DNS request
- For HTTP and HTTPS requests, DNSWatch redirects the user to a customizable block page
If the domain is filtered content:
- DNSWatch redirects the user to a customizable block page
For more information about block pages, see About DNSWatch Block Pages.
When you enable DNSWatch on your Firebox, you choose whether to enable usage enforcement. When usage enforcement is enabled, the Firebox redirects all outbound DNS requests on port 53 to DNSWatch, regardless of whether the DNS request is addressed to a specific DNS server. For more information about usage enforcement options, see Enable DNSWatch on Your Firebox.
DNSWatch takes precedence over some DNS settings in your Firebox configuration. If your network includes a local DNS server, make sure you understand DNS settings precedence before you enable enforcement. For more information, see DNSWatch DNS Settings Precedence on a Firebox.
Before you enable DNSWatch, it is important to plan how it will integrate into your network. For DNSWatch configuration examples for several different network scenarios, see DNSWatch on Firebox Configuration Examples.
Firebox Log Messages for the DNSWatch Block Page
In Fireware 12.4 and higher, the Firebox treats connections to the DNSWatch security block page as trusted host connections. When the Firebox allows a connection to the block page, it writes a log message that includes this text:
ProxyDeny: HTTP DNSWatch blackholed domain