About WatchGuard DNSWatch

DNSWatch is currently in beta with DNSWatchGO. DNSWatchGO includes DNSWatchGO Client, a lightweight client for endpoint protection off network, and network protection without a Firebox. Some features are only available in the DNSWatchGO beta. For DNSWatchGO beta documentation, log in to the WatchGuard Beta test community.

DNSWatch is a cloud-based subscription service that can be used to protect your network and users from malicious domains. DNSWatch can monitor DNS requests regardless of the connection type, protocol, or port and whether the requests are made on or off your network. When a user tries to visit a malicious or filtered web domain, a block page appears in the browser.

DNSWatch is easily enabled as a subscription service on your Firebox. Before you can enable the DNSWatch feature and configure it on your Firebox, you must add a DNSWatch license to your Firebox feature key.

DNSWatch is not supported in Fireware v12.3.x or lower on a Firebox configured in Bridge Mode. In Fireware v12.4 or higher, DNSWatch enabled on a Firebox in Bridge Mode has the same usage enforcement options as a Firebox configured in Mixed Routing Mode. When DNSWatch is enabled on a Firebox in Bridge Mode, the interface is named Global Bridge in the Protected Fireboxes interfaces list in DNSWatch.

DNSWatch Protection

DNSWatch offers two types of protection:

Network Protection

DNSWatch protects your network from malicious sites and phishing attempts. You can also block domains in specific content categories such as alcohol, gambling, and online dating. When your network appliance or firewall receives a DNS query on a protected network, it uses DNSWatch as the DNS resolver. If the request is to a domain on the Domain Feeds list or filtered domains list, then DNSWatch returns a block page instead of the requested content. If the domain is not on the lists, DNSWatch returns the requested content to the user.

Off-Network Protection

DNSWatchGO Client is an application that you install on portable computers that leave your network, such as employee laptops. DNSWatchGO simultaneously forwards DNS requests to the DNSWatch resolvers and the upstream DNS resolvers. DNSWatch resolvers compare the requested domain to the lists of malicious domains in the Domain Feed and to domains in filtered categories.

If the requested domain is not on the known malicious domains list or on the filtered domains list, the request is is resolved by the Upstream DNS resolvers and the requested content appears.

If the domain is a known threat or filtered content:

  • DNSWatchGO Client returns the block page content
  • If the requested content links to a malicious domain, DNSWatch gathers more information about the threat

When a computer is connected to your network, your network policies and protections take priority over DNSWatchGO settings.

See Also

Manage DNSWatch

DNSWatch Components

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search