Applies To: DNSWatch in WatchGuard Cloud
References to DNSWatch in this topic relate to DNSWatch in WatchGuard Cloud. To learn about the legacy DNSWatch UI, go to About WatchGuard DNSWatch in Fireware Help.
When you enable DNSWatch in WatchGuard Cloud, two separate actions occur:
- Firebox Registration — The Firebox contacts the DNSWatch servers and registers itself. After the Firebox is registered, it receives the IP addresses of two DNSWatch DNS servers and a Blackhole Server.
- DNS Forwarding — The Firebox forwards all outbound DNS queries to the DNSWatch DNS servers unless another DNS setting configured on the Firebox has precedence. For more information, go to Precedence for DNSWatch in WatchGuard Cloud.
- The Firebox intercepts all DNS requests on port 53 and forwards them to a DNSWatch DNS Server, even if the DNS request was addressed to another DNS server. For more information, go to Enable DNSWatch on Your Firebox.
Registration and Status Errors
For locally-managed Fireboxes, you can view the registration status of your Firebox on the DNSWatch configuration page in Fireware Web UI. The DNSWatch page shows the Firebox registration status, and shows whether there are any errors related to the DNSWatch service. It also shows the IP addresses of DNSWatch DNS servers.
If the Firebox is registered and there are no DNSWatch errors, the DNSWatch page in Fireware Web UI shows:
Registration Date: Registered at <date and time>
Status: Operational
If registration fails, or if any other error affects the DNSWatch service, the Status line includes an error message that can be useful for troubleshooting.
Shared Public IP Addresses
To use DNSWatch in WatchGuard Cloud, the same public IP address cannot be associated with Fireboxes activated for two different accounts in the WatchGuard account.
If you enable DNSWatch on Fireboxes activated in two different WatchGuard accounts, and those Fireboxes use the same public IP address, DNSWatch associates the public IP address with the first Firebox that successfully registered with DNSWatch.
Any other Firebox with the same public IP address that is registered to a different DNSWatch account will receive an error and not receive the IP address of DNSWatch DNS servers. Make sure no other Fireboxes that use the same public IP address are activated to a different account in the WatchGuard account.
Recommendations
- Only enable DNSWatch on the gateway Firebox in a nested Firebox environment under a single account. This is typically the Firebox closest to the ISP equipment or public IP address.
- Do not enable DNSWatch on Fireboxes in different accounts using a shared public IP address. Choose one of the Fireboxes from one account to enable DNSWatch.
- Do not enable DNSWatch on Fireboxes that use a primary external interface that is behind an Internet service provider NAT (multiple individual networks behind a single or small group of public addresses).
Quick Start — Set Up DNSWatch in WatchGuard Cloud