Manage DNSWatch Alerts

When DNSWatch denies a request to a domain, the DNS resolver returns the IP address of a DNSWatch Blackhole server. The Blackhole server accepts the connection that was intended for the malicious domain and attempts to collect information about the source of the DNS request, and collects connection data for malware analysis. For more information about the DNSWatch Blackhole servers, go to About DNSWatch Blackhole Servers.

DNSWatch generates an alert for each group of connections from a protected network to a malicious domain. On the Alerts page you can view and manage all alerts for your protected networks.

To view your DNSWatch alerts:

  1. Log in to your DNSWatch account.
  2. Click Report > Alerts.
    The Alerts page opens.

Screen shot of the DNSWatch Alerts page

The Alerts page shows this summary information for each alert:

  • Domain — The domain in the DNS request
  • Protocol — The protocol used in the connection to the Blackhole Server
  • Classification — The type of threat, as classified by the DNSWatch analysis team at WatchGuard
  • Victim — The public IP address of the protected network or device from which the DNS request was received
  • Last Seen — The most recent date and time that DNSWatch received a DNS request to this domain from this protected network
  • Status — The resolution status and connection status:
    • A red x () indicates that the alert is unresolved.
    • A green check mark () indicates that the alert has been resolved.
    • The connection status icon () is red if there is currently an open connection to the Blackhole Server for this alert.

Alert Classifications

All new alerts are unclassified. The DNSWatch team at WatchGuard analyzes new alerts and updates the classification. New alerts remain unclassified until the analysis is complete. The DNSWatch team focuses on rapid categorization of alerts related to malware, ransomware, and phishing. Some alerts might remain unclassified.

Alert classifications are:

  • Unclassified
  • Malware
  • Ransomware
  • Malvertising
  • Phishing
  • Compromised Website
  • Previously Bad
  • Adware Detected
  • Adware Prevented
  • False Alarm — The alert
  • Testing
  • Manually Blocked

The Manually Blocked classification indicates that the DNS request to a domain was denied because it is on the Blocklist. For more information about the Blocklist, go to Manage DNSWatch Blocklist Domains.

View Alert Details

To view more detailed information about an alert, in the Actions column, click View. When you view alert details, you can select the actions to Resolve or Silence the alert.

For more information, go to View DNSWatch Alert Details.

Resolve Alerts

You can change the status of an alert to Resolved. You might do this after you have finished any discussion or investigation and consider it resolved. When the status of an alert is Resolved, DNSWatch does not send email alerts when there is a change to the comments. If a new connection is seen for the domain from the same protected network, DNSWatch automatically reopens a resolved alert.

You cannot resolve an alert that has an open connection.

To resolve an alert from the Alerts page:

  1. Select the check box for one or more alerts
  2. Click Resolve Selected Alerts.

If you want to stop email notifications for an alert but you do not want to change the status to Resolved, you can also silence the email notifications for an alert. You can do this after you click View to view the alert details. For more information, go to View DNSWatch Alert Details.

Filter the Alerts List

You can filter the alerts list by domain, protocol, victim IP address, resolution status, comments, and classification.

To filter the Alerts list:

  1. Click Filter.
    The list of available filters appears.

Screenshot of the list of available filters

  1. Specify one or more of the available filters.
  2. Click Apply Filters.

Tips for alert filters:

  • To view alerts for a specific domain, in the Domain filter, specify the domain name exactly as it appears in the Domain column of the Alerts list. You must include the brackets around the dot. For example, baddomain[.]com. To make sure the domain is an exact match, you can copy and paste the domain from the Domain column for an alert to the Domain filter.
  • To view alerts for a specific protected network, in the Victim IP filter, specify the IP address of the protected network as it appears in the Victim column.

To clear filters on the Alerts list:

  1. Click Filters.
  2. Click Clear Filters.

You can also click Alerts in the navigation menu to refresh the page and clear filters.

View Connections

To view connections associated with an alert, click View to view the alert details. For more information, go to View DNSWatch Alert Details.

To view all connections denied by DNSWatch, click the connections link on the Alerts page.

Screenshot of the connections denied by DNSWatch

For more information, go to View DNSWatch Connections.

Related Topics

About DNSWatch Email Notification

About WatchGuard DNSWatch