When DNSWatch denies a request to a domain, the DNS resolver returns the IP address of a DNSWatch blackhole server. The blackhole server accepts the connection that was intended for the malicious domain and attempts to collect information about the source of the DNS request, and collects connection data for malware analysis. For more information about the DNSWatch blackhole servers, see About DNSWatch Blackhole Servers.
DNSWatch generates an alert for each group of connections from a protected network to a malicious domain. On the Alerts page you can see and manage all alerts for your protected networks.
To see your DNSWatch alerts:
- Log in to your DNSWatch account.
- Click Report > Alerts.
The Alerts page appears.
The Alerts page shows this summary information for each alert:
- Domain — The domain in the DNS request
- Protocol — The protocol used in the connection to the Blackhole Server
- Classification — The type of threat, as classified by the DNSWatch analysis team at WatchGuard
- Victim — The public IP address of the protected network or device from which the DNS request was received
- Last Seen — The most recent date and time that DNSWatch received a DNS request to this domain from this protected network
- Status — The resolution status and connection status:
- A red x () indicates that the alert is unresolved.
- A green check mark () indicates that the alert has been resolved.
- The connection status icon () is red if there is currently an open connection to the Blackhole Server for this alert.
All new alerts are unclassified. The DNSWatch team at WatchGuard analyzes new alerts and updates the classification. New alerts remain unclassified until the analysis is complete. The DNSWatch team focuses on rapid categorization of alerts related to malware, ransomware, and phishing. Some alerts might remain unclassified.
Alert classifications are:
- Compromised Website
- Previously Bad
- Adware Detected
- Adware Prevented
- False Alarm — The alert
- Manually Blackholed
The Manually Blackholed classification indicates that the DNS request to a domain was denied because it is on the Blacklist. For more information about the Blacklist, see Manage DNSWatch Blacklisted Domains.
View Alert Details
To see more detailed information about an alert, in the Actions column, click View. When you view alert details, you can choose the actions to Resolve or Silence the alert.
For more information, see View DNSWatch Alert Details.
You can change the status of an alert to Resolved. You might do this after you have finished any discussion or investigation and consider it resolved. When the status of an alert is Resolved, DNSWatch does not send email alerts when there is a change to the comments. If a new connection is seen for the domain from the same protected network, DNSWatch will automatically reopen a resolved alert.
You cannot resolve an alert that has an open connection.
To resolve an alert from the Alerts page:
- Select the check box for one or more alerts
- Click Resolve Selected Alerts.
If you want to stop email notifications for an alert but you do not want to change the status to Resolved, you can also silence the email notifications for an alert. You can do this after you click View to see the alert details. For more information, see View DNSWatch Alert Details.
Filter the Alerts List
You can filter the alerts list by domain, protocol, victim IP address, resolution status, comments, and classification.
To filter the Alerts list:
- Click Filter.
The list of available filters appears.
- Specify one or more of the available filters.
- Click Apply Filters.
Tips for alert filters:
- To see alerts for a specific domain, in the Domain filter, specify the domain name exactly as it appears in the Domain column of the Alerts list. You must include the brackets around the dot. For example, baddomain[.]com. To make sure the domain is an exact match, you can copy and paste the domain from the Domain column for an alert to the Domain filter.
- To see alerts for a specific protected network, in the Victim IP filter, specify the IP address of the protected network as it appears in the Victim column.
To clear filters on the Alerts list:
- Click Filters.
- Click Clear Filters.
You can also click Alerts in the top navigation menu to refresh the page and clear filters.
To see connections associated with an alert, click View to see the alert details. For more information, see View DNSWatch Alert Details.
To see all connections denied by DNSWatch, click the connections link at the top of the Alerts page.
For more information, see View DNSWatch Connections.