A key component of the DNSWatch solution is the Blackhole server. When DNSWatch resolvers receive a DNS request to a malicious domain, they return the IP address of the DNSWatch Blackhole server instead of the IP address of the requested domain. The Blackhole server collects data about the attempted connections to malicious domains from your protected networks, Fireboxes, and DNSWatchGO clients. The Blackhole server also hosts the DNSWatch block pages that users see in the browser when DNSWatch denies HTTP or HTTPS connections.
Data Collection and Malware Analysis
The Blackhole server receives the connection intended for the malicious domain and attempts to collect information about the client. This includes information such as the private IP address, host name, and username. This information appears on the Details tab for the alert and can help you identify the victim or victims.
The DNSWatch Blackhole server accepts the connection that was intended for the malicious domain and collects netflow traffic for analysis. DNSWatch parses the network protocols. The information DNSWatch collects for a connection appears in the Malware Analysis tab for an alert.
DNSWatch records the date and time of each attempted connection to the same denied domain. An alert combines information about all attempted connections from one protected network to the same malicious domain. The information about connections appears in the Connections tab for an alert.
For more information about DNSWatch alerts, see View DNSWatch Alert Details.
The Blackhole server also hosts the DNSWatch block pages that users see when DNSWatch denies a malicious DNS request or filters a request based on content.
You can customize the text, style, and logo on these pages to meet the needs of your organization. For more information, see Customize DNSWatch Block Pages.
By default, suspicious.dnswatch.watchguard.com is on the Blacklist in your DNSWatch account. This means that you can browse to this domain to see the block page.
When a domain is in both the DNSWatch Blacklist and a denied WebBlocker category, users see the DNSWatch security block page instead of a WebBlocker Deny message.