Enable DNSWatch on Your Firebox

DNSWatch prevents user connections to malicious domains, regardless of the connection type, protocol, or port. You can also apply content filter policies to block content based on categories. For more information, go to About WatchGuard DNSWatch.

You can also apply a content filter policy to the Firebox. If you have a default content filter policy, it automatically applies to new Fireboxes. To apply a content filter policy to your Firebox, go to Manage User Access to Content in DNSWatch.

DNSWatch is a subscription service available with the Total Security Suite. Before you can enable DNSWatch on your Firebox, your Firebox must run Fireware v12.1.1 or higher and must have the DNSWatch subscription service enabled in the feature key. For more information, go to:

About DNSWatch Usage Enforcement Options

When you enable DNSWatch, you must select a usage enforcement option. For each interface, enforcement can be Enabled or Disabled. The Usage Enforcement setting controls which outbound DNS requests the Firebox redirects to the DNSWatch DNS server.

  • Enabled —the Firebox redirects all outbound DNS requests from that interface to DNSWatch DNS servers.
  • Disabled — the Firebox redirects outbound DNS requests from that interface to DNSWatch DNS servers only when the DNS request is addressed to the Firebox.

When you enable DNSWatch, you must select one of these enforcement options:

  • Enforce on all Trusted, Optional, and Custom interfaces
  • Enforce on selected interfaces
  • Disable enforcement

For most networks, we recommend that you enable enforcement on all interfaces.

Configuration Recommendations

DNSWatch interacts with other DNS settings on the Firebox. In most cases, it is not necessary to change your existing DNS configuration when you enable DNSWatch. Here are some specific recommendations:

Usage Enforcement

For most networks, we recommend that you enable DNSWatch enforcement on all interfaces. If you determine that DNSWatch causes problems with DNS resolution for a network client that must use a specific DNS server, disable usage enforcement for just the interface that client connects to. If you disable enforcement, it might be necessary for you to change other DNS settings.

If you disable enforcement for an interface, enable DNS forwarding for that interface in the Firebox Network DNS settings. When DNS forwarding is enabled, and the Firebox is configured as a DHCP server, the Firebox sends its own IP address to DHCP clients as the DNS server IP address. The Firebox forwards outbound DNS requests addressed to the Firebox to DNSWatch DNS servers.

Network (Global) DNS Servers

If your network has an internal DNS server, make sure that the internal DNS server appears first in the network (global) DNS settings. The Firebox uses the global DNS servers for DNS queries that cannot be resolved by the DNSWatch DNS servers. For more information, go to About DNS on the Firebox.

DNS Forwarding Rules

DNSWatch has DNS servers in three regions, US (US East), EU (Ireland), and APAC (Japan and Australia). DNSWatch sends the Firebox the IP addresses of DNSWatch DNS servers in the closest region. If your Firebox is in a different region, and you want to make sure that DNS queries for a specific domain resolve to a DNS server in your local region, you can add a DNS forwarding rule for that domain. In the DNS forwarding rule, specify the IP address of a DNS server of your choice. For more information, go to About DNS Forwarding.

Many WatchGuard products and services are hosted on regional servers. If enforcement is disabled on all interfaces, add DNS forwarding rules for these domains to make sure that the services resolve to servers in your local region:

  • watchguard.com
  • ctmail.com
  • rp.cloud.threatseeker.com

These DNS forwarding rules are not necessary when enforcement is enabled. When enforcement is enabled, DNSWatch does not send DNS requests for these domains to DNSWatch and instead uses a DNS server specified in the network DNS settings on the Firebox.

Local DNS Server

If you disable DNSWatch enforcement for the Firebox interface that your local DNS server connects to, configure the DNS server to use the Firebox interface IP address as the DNS server for DNS queries it cannot resolve. The Firebox then forwards outbound DNS queries it receives from the DNS server to DNSWatch DNS servers.

DNSWatch on a Firebox in Bridge Mode

In Fireware v12.4 or higher, you can enable DNSWatch on a Firebox configured in Bridge Mode. A Firebox in Bridge Mode has the same Usage Enforcement options as a Firebox configured in Mixed Routing Mode. The interface is named Global Bridge in the Protected Fireboxes interfaces list in DNSWatch.

A Firebox in Bridge Mode with DNSWatch enabled cannot resolve host names on local domains unless you create DNS forwarding rules for local domains. For more information about forwarding rules, go to About DNS Forwarding.

The enforcement option you choose affects whether DNSWatch takes precedence over other DNS settings configured on your Firebox. For more information, go to DNSWatch DNS Settings Precedence on a Firebox.

Enable DNSWatch on Your Firebox

You can enable DNSWatch from Policy Manager, CLI, Fireware Web UI, or in WatchGuard Cloud on a cloud-managed Firebox. The registration status and the IP addresses of the DNSWatch DNS servers appear only in Fireware Web UI.

  1. Select Subscription Services > DNSWatch.

Screen shot of the DNSWatch settings in Fireware Web UI

  1. Select the Enable DNSWatch Service check box.
  2. From the Usage Enforcement drop-down list, select the enforcement option.
    The default option is Disable enforcement.
    If your network does not have a local DNS server, we recommend you change this to enable enforcement on some or all internal interfaces.
  3. If you selected Enforce on all Trusted, Optional and Custom interfaces, to select the interfaces for enforcement, click Select.
    The list of internal interfaces appears. By default, enforcement is enabled on all interfaces.

Screenshot of the list of internal interfaces

  1. Enforcement for all interfaces is enabled by default. To disable enforcement for an interface, clear the check box for that interface.
  2. Click OK.
  3. Click Save.
    The Firebox connects to the DNSWatch account where the Firebox was activated and registers the Firebox to your DNSWatch account. Registration status and IP addresses of DNSWatch DNS Servers appear on the DNSWatch configuration page.
  1. Select Subscription Services > DNSWatch.

Screen shot of the Threat Detection & Response page in Policy Manager

  1. Select the Enable DNSWatch check box.
  2. From the drop-down list, select the enforcement option.
    The default option is Disable enforcement.
    If your network does not have a local DNS server, we recommend you change this to enable enforcement on some or all internal interfaces.
  3. If you selected Enforce on all Trusted, Optional and Custom interfaces, click Select to select the interfaces for enforcement.
    The list of internal interfaces appears.

Screen shot of the Select Interfaces dialog box

  1. Enforcement for all interfaces is enabled by default. To disable enforcement for an interface, clear the check box for that interface.
  2. Click OK.
  3. Save the configuration to the Firebox.
    The Firebox connects to the DNSWatch account where the Firebox was activated and registers the Firebox to your DNSWatch account. Registration status and IP addresses of DNSWatch DNS Servers appear on the DNSWatch configuration page.

To enable DNSWatch on a cloud-managed Firebox in WatchGuard Cloud, go to Configure Firebox DNS Settings.

Verify DNSWatch Status on the Firebox

After you enable DNSWatch on your Firebox, the Firebox connects to the DNSWatch account where the Firebox was activated and registers the Firebox. The registration status appears in Fireware Web UI on the Front Panel dashboard and on the DNSWatch configuration page. DNSWatch registration status is not available in Policy Manager.

To view the DNSWatch registration status, from Fireware Web UI:

  1. Log in to Fireware Web UI.
  2. Select Subscription Services > DNSWatch.

Screen shot of the DNSWatch configuration page with Registration Status and DNS Servers

The DNSWatch page shows the DNSWatch registration status of your Firebox and the IP addresses of the DNSWatch DNS servers.

  • Status — Indicates the status of DNSWatch. Status can be one of these values:
  • Disabled — DNSWatch is not enabled.
  • Registration pending — The Firebox registration is not yet complete.
  • Retrieving addresses — The Firebox is registered but has not yet received IP addresses from DNSWatch.
  • Operational — The Firebox has successfully registered and retrieved IP addresses.
  • Error — An error occurred. For information about how to troubleshoot DNSWatch errors, go to Monitor DNSWatch Service Status.
  • Registration Date — Indicates the date and time when your Firebox successfully registered with your DNSWatch account.
  • DNS Servers — The IP addresses of the DNSWatch DNS Servers the Firebox uses for DNS resolution. These DNS Server IP addresses also appear on the Interfaces Dashboard, in the DNS Servers list on the Detail tab. For more information, go to About DNSWatch DNS Servers.
  • Blackhole Servers — The IP addresses of the DNSWatch Blackhole Servers. When DNSWatch receives a DNS query for a domain that is on the Domain Feeds or Blocklist, it returns the IP address of the Blackhole server instead of the actual IP address for the requested domain. For more information about DNSWatch Blackhole Servers, go to About DNSWatch Blackhole Servers.

DNSWatch status also appears in the Front Panel dashboard in Fireware Web UI and in the Front Panel tab in Firebox System Manager.

When the Firebox receives DNS server IP addresses from DNSWatch, the IP addresses of the DNSWatch DNS servers appear with the IP addresses of other configured DNS servers in several places:

  • In Fireware Web UI, in the Interfaces dashboard, on the Detail tab
  • In WatchGuard System Manager, on the Device Status tab
  • In Firebox System Manager, on the Front Panel
  • In Firebox System Manager, in the Status Report in the Domain Name Servers list

You can connect to your DNSWatch account to view a list of Fireboxes protected by DNSWatch. For more information, go to View Fireboxes Protected by DNSWatch.

You can also apply a content filter policy to the Firebox. If you have a default content filter policy, it automatically applies to new Fireboxes. To apply a content filter policy to your Firebox, go to Manage User Access to Content in DNSWatch.

View DNSWatch DNS Servers Used by Your Firebox

When the Firebox receives DNS server IP addresses from DNSWatch, the IP addresses of the DNSWatch DNS servers appear with the IP addresses of other configured DNS servers in several places:

  • In Fireware Web UI, in the Interfaces dashboard, on the Detail tab
  • In WatchGuard System Manager, on the Device Status tab
  • In Firebox System Manager, on the Front Panel
  • In Firebox System Manager, in the Status Report in the Domain Name Servers list

For more information about how to enable DNSWatch and how to view DNSWatch status on the Firebox, go to DNSWatch Firebox Configuration Examples.

Related Topics

About WatchGuard DNSWatch

Monitor DNSWatch Service Status