About WatchGuard DNSWatch
DNSWatch is currently in beta with DNSWatchGO. DNSWatchGO includes DNSWatchGO Client, a lightweight client for endpoint protection off network, and network protection without a Firebox. Some features are only available in the DNSWatchGO beta. For DNSWatchGO beta documentation, log in to the WatchGuard Beta test community.
DNSWatch is easily enabled as a subscription service on your Firebox. Before you can enable the DNSWatch feature and configure it on your Firebox, you must add a DNSWatch license to your Firebox feature key.
DNSWatch is not supported in Fireware v12.3.x or lower on a Firebox configured in Bridge Mode. In Fireware v12.4 or higher, DNSWatch enabled on a Firebox in Bridge Mode has the same usage enforcement options as a Firebox configured in Mixed Routing Mode. When DNSWatch is enabled on a Firebox in Bridge Mode, the interface is named Global Bridge in the Protected Fireboxes interfaces list in DNSWatch.
DNSWatch offers two types of protection:
- Network Protection — DNS protection and content filter enforcement on your network (with or without a Firebox)
- Off-Network Protection — DNS protection and content filter enforcement on portable assets that have the DNSWatchGO Client installed
- To install the DNSWatchGO client, see Download and Install DNSWatchGO Client
DNSWatch protects your network from malicious sites and phishing attempts. You can also block domains in specific content categories such as alcohol, gambling, and online dating. When your network appliance or firewall receives a DNS query on a protected network, it uses DNSWatch as the DNS resolver. If the request is to a domain on the Domain Feeds list or filtered domains list, then DNSWatch returns a block page instead of the requested content. If the domain is not on the lists, DNSWatch returns the requested content to the user.
DNSWatchGO Client is an application that you install on portable computers that leave your network, such as employee laptops. DNSWatchGO simultaneously forwards DNS requests to the DNSWatch resolvers and the upstream DNS resolvers. DNSWatch resolvers compare the requested domain to the lists of malicious domains in the Domain Feed and to domains in filtered categories.
If the requested domain is not on the known malicious domains list or on the filtered domains list, the request is is resolved by the Upstream DNS resolvers and the requested content appears.
If the domain is a known threat or filtered content:
- DNSWatchGO Client returns the block page content
- If the requested content links to a malicious domain, DNSWatch gathers more information about the threat
When a computer is connected to your network, your network policies and protections take priority over DNSWatchGO settings.