DNSWatch is currently in beta with DNSWatchGO. DNSWatchGO includes DNSWatchGO Client, a lightweight client for endpoint protection off network, and network protection without a Firebox. Some features are only available in the DNSWatchGO beta. For DNSWatchGO beta documentation, log in to the WatchGuard Beta test community.
A key component of the DNSWatch solution is the Blackhole Servers. When DNSWatch resolvers receive a DNS request to a malicious domain, they return the IP address of the DNSWatch Blackhole server instead of the IP address of the requested domain. The Blackhole servers collect data about the attempted connections to malicious domains from your protected networks. The Blackhole servers also host the DNSWatch security block page that users see in the browser when DNSWatch denies HTTP or HTTPS connections.
Data Collection and Malware Analysis
The Blackhole server receives the connection intended for the malicious domain and attempts to collect information about the source of the DNS request. This includes information such as the private IP address, host name, and user name. This information can help you identify the victim or victims on the protected network and appears on the Details tab for the alert.
The DNSWatch Blackhole server accepts the connection that was intended for the malicious domain and collects netflow traffic for analysis. DNSWatch parses the network protocols. The information DNSWatch collects for a connection appears in the Malware Analysis tab for an alert.
DNSWatch records the date and time of each attempted connection to the same denied domain. An alert combines information about all attempted connections from one protected network to the same malicious domain. The information about connections appears in the Connections tab for an alert.
For more information about DNSWatch alerts, see View DNSWatch Alert Details.
Security Block Page
The Blackhole Servers also host the DNSWatch security block page that users see when DNSWatch denies a malicious DNS request.
You can customize the text, style, and logo on this page to meet the needs of your organization. For more information, see Customize DNSWatch Block Pages.
By default, the domain strongarm[.]test is on the Blacklist in your DNSWatch account. This means that you can browse to this domain from a protected network to see the block page.
When a domain is in both the DNSWatch Blacklist and a denied WebBlocker category, users see the DNSWatch security block page instead of a WebBlocker Deny message.