DNSWatch - General — WatchGuard Community

Possible network loop?

Olix — Wed, 11 Feb 2026 06:24:55 +0000

I have another question about the DNSWatch configuration:

I use an internal DNS server and set the IP address at the top of the global DNS server list in the Firebox, as recommended in the instructions. Enforcement is disabled.

On my DNS server, I now enter the IP address of the Firebox as the DNS forwarder. (As described in the Help Center under “DNSWatch DNS Settings Precedence on a Firebox” , if DNSWatch enforcement is disabled)

Doesn't the DNS query then go round in circles permanently?

The internal DNS server forwards DNS queries to the Firebox. The Firebox has the internal DNS server entered as its first DNS server. According to the instructions, this has priority over DNSWatch, and the query then goes back to the internal DNS server... and so on.

More than one internal DNS Server

Olix — Wed, 11 Feb 2026 08:45:00 +0000

I am using a scenario as described in example 6 in the Watchguard Help Center, “Multiple Internal Networks.”

However, I am using two internal DNS servers. In this case, should both internal DNS server IP addresses be listed as the first and second entries in the Network (Global) DNS Server List on the Firebox, with a public DNS server as the third entry?

Usage Enforcement only on external traffic?

Olix — Tue, 10 Feb 2026 10:16:59 +0000

When using DNSWatch with active enforcement mode, is only external traffic (to the Internet) monitored, or is traffic between internal interfaces (Trusted, Optional) on TCP/53 also monitored and redirected to the DNSWatch servers?

Noob question - Enabled DNSWatch Enforement - DNS breaks - what am I missing?

Mordac — Tue, 12 Nov 2019 20:47:27 +0000

We have two internal DNS servers (Windows) on our network, configured with forwarders pointing to Google DNS and OpenDNS servers. We have one protected interface on our WatchGuard 500. I enabled DNSWatch enforcement on the one protected interface. All of DNS requests (for external name/IP resolution) go out through the protected interface. When I enabled DNSWatch enforcement, users PCs (that point to our two internal DNS servers for name/IP resolution) no longer are able to resolve any external FQDNs to IPs. My understanding from WatchGuard docs is that once enforcement is enabled, DNSWatch will redirect the name/IP resolution requests to the nearest WatchGuard (StrongArm) DNS servers. So even if a user PC points to our internal DNS server which in turn tries to contact Google 8.8.8.8 (for example), DNSWatch will intercept and redirect the request to its (Strongarm) DNS server to either resolve, or will return the IP of the DNS sinkhole server.
I am guessing that I am missing something as DNS breaks (unable to resolve external FQDN to IP). Any suggestions appreciated. Thanks!

DNSWatch answering when not enabled

CWR — Sun, 16 Feb 2025 02:15:30 +0000

We have noticed our m370 which does not have DNS Watch enabled is sending dns queries to the DNSWatch EU servers 34.240.115.208 and 34.251.171.117 so only one of our own configured dns servers get used after those two. Had a look through the network settings and those of the vlans etc and can only see out 2 dns servers. The site has had some odd dns behaviour so wondering if this could be related.

We tested DNSWatch when it first came out but disabled it and switched to our own over a year ago.

Logs show the dns requests going to the dnswatch servers.

On latest firmware.

Have I missed a setting or does this need to ne escalated to support.

Out M390 at our other site (same config) does not have this issue and uses both our configured dns servers.

DNSWatch Down Again

HN13 — Tue, 22 Oct 2024 06:59:38 +0000

Hello together,

this morning DNSWatch stopped working again for us. No internet for whole company..
On watchguard status page everything is shown green. I´ll disable this service now an neveruse it again. It´s to risky. Maybe Cisco has better service. Annoying.

Best regards

Hendrik

DNS Server in Ireland down? 34.251.171.117 get unknown error

HN13 — Mon, 02 Sep 2024 07:50:49 +0000

From last Friday on my DNSWatch did not work. I had to disable DNSWatch on my firebox to get my company get back to work.

Isn´t there a fallback to 34.240.115.208?

I am not sure what to do.

Best regards

Hendrik

How to identify IP Address of a "Victim Port" number?

Jes_DFS — Tue, 09 Jul 2024 15:03:18 +0000

Under DNS Watch - "Initial connection details"
How do I determine the actual user's IP address using the victim port number? I would like to do this so I can review the user's computer, browser history, perform a scan if needed, etc. In the same window where I see "victim port", it does show "victim ip address" but it is our public facing IP address, not a specific end user's IP address and then the victim hostname is unknown. I would like to try and track these down if possible.

DNSWatch protected network in Firefox - Just an IP adress?

Jordi — Thu, 25 Jan 2024 12:41:27 +0000

Hi,

We have activated the DNSWatch in our Firefox now. We see in DNSWacth site it, everything looks fine.

But we see that the messages for block sites and content police are the generics and not the customiced.

In my opinion, it is becouse the protected network of the Firefox is just a public IP (/32) but we have more than an IP (/28) and the users goes out by other public IP than the firefox.

The option to add protected network in the DNSWacth site say that we need a extra license

Anybody know how to do it?

Thanks in advanced,
Jordi.

DNS_PROBE_FINISHED_NXDOMAIN

toscanatlc — Mon, 27 Sep 2021 18:52:59 +0000

Hello everyone,

for some time now a strange thing has happened to me for the watchguard forum site, when I try to login on the forum the "DNS_PROBE_FINISHED_NXDOMAIN" page appears after 1 second the page is automatically reloaded and everything is ok.

the nice thing that it does only on the forum site .... it happens to you too, I have active dnswatch

DNS watch - suspicious connections

tantony — Tue, 02 May 2023 12:30:24 +0000

Hello,

For the last couple of weeks, I've been getting this email about DNSWatch stopping suspicious domains. Its good that it was caught and blocked, but is there anything else I can do? Should I open a case with support?

_Greetings,
DNSWatch stopped one of your devices from connecting with a suspicious domain. Your network is safe. _

When I login to DNSWatch, this is what I see. Looks like the latest are from Vietnam (.vn).

How to watchguard m270 and look at ports being forwarded to an exchange server

Ain2828 — Thu, 05 Jan 2023 17:47:05 +0000

How to watchguard m270 and look at ports being forwarded to an exchange server

DNSWatchGo clients behind Firebox

Catweazle30169 — Fri, 19 Jun 2020 11:59:16 +0000

Hello.
Were using DNSWatchGo on our notebooks and DNSWatch on our Fireboxes.
I suppose, we have DNS performance problems, when both are active. I checked one computer. DNS was set to ::1 and 127.0.0.1 instead the "normal" DNS-Servers. Is it possible to deactivate DNSWatchGo automatically, when the machines runs in corporate network?

Thanks in advance for your answers.

Have a nice weekend

Dirk Emmermacher

Total security suite and DNSWatchGo

RalphtheMac — Wed, 16 Nov 2022 13:58:13 +0000

Hi there, I am trying to ascertain what benefits I might get for my users/endpoints from DNSWatchGo.
We already have Total Security Suite on Watchguard Firewalls, accross a number of sites. Home users _usually _ use a VPN that is not split tunnel.

I had thought that possibly DNSWatchGo might protect home users that are not on VPN. However, I dont fully know the benefits of the product over and above what the firewall setup offers (with DNS protection already setup).

So my question is -
aside from users at home that do not use VPN - does DNSWatch offer extra protection over the firewall protection for users on and offsite? if so, what is it!?

Thank you!

Proper way to set up a global local DNS Server

Pops21 — Fri, 23 Sep 2022 11:51:52 +0000

Good day all. I am an end-user of the T70 Firewall since they were brand new. I am in need of properly setting up my DNS server that applies to all networks on my unit. Here is what I have done so far: I have formatted a Raspberry Pi for use as a DNS Server (Pihole), and assigned it to a reserved address on 192.168.111.3 on my "Trusted" network. I then went to the DNS tab on my Interfaces section of Networks and specified that address as the ONLY DNS server. I then checked "enable DNS Forwarding" and had the T70 listen on "Trusted, Optional and Custom" interfaces. I did NOT specify a Domain name sinece my server is local to the T70 on the "Trusted" interface. I am running three networks on this unit, (2 wireless and one wired) with each network having its own IP range (Trusted 192.168.111.x, Optional 192.168.0.x, and Trusted Wireless 192.168.100.x). Did I do this right? Do I need to check the "DNS Forwarding" tab? I am hopeful it is this easy, as I want all networks to use this local DNS Server and not external network ones. I apologize if I sound like a newbie, but I am NOT a Network Professional, this unit is in my home and I bought it for its robust Firewall capabilities. Thank you all for answering my qyestion.

Login

toscanatlc — Tue, 26 Jul 2022 13:52:08 +0000

Greetings,

from our watcguard account we access Watchgaurd Cloud, we have 5 fireboxes of different customers and I can manage everything, if instead I want to access the dnswatch of each customer I cannot because every time I log in I only see the IP from which I connect, it exists a portal only for dnswatch or every time I have to log in and enter when I am with the interested IP?

Thank you

Does DNSWatch support eDNS & ECS

Kenjinator — Thu, 28 Apr 2022 06:11:00 +0000

Hi guys,

i've implemented DNSWatch on my customers network, works perfectly except having problems with registration of one of our sip trunks.
I've configured DNSWatch to be enforced on all interfaces.

Checked the requierements for the sip trunk and they need to support eDNS & ECS on DNS Servers used in the environment.

Does DNSWatch Servers support these features?

bad group

Maxspeed — Wed, 15 Dec 2021 20:16:55 +0000

Hi,

please check if I'm wrong ...

www.deepl.com
http://www.deepl.com is categorized as Reference Materials
***** not true **** I open Miscellaneous -> Uncategorized

please do the correction

thank you

Security Block Page Content Settings

Maxspeed — Tue, 30 Nov 2021 13:39:17 +0000

Hi,

we try to activate Security Block Page Content Settings with this text (see below)

why when a user see the warning it's only in english not this text?

where is my mistake ?

Thank you for your help

Il semble que vous ayez cliqué sur quelque chose de dangereux.

Veuillez effectuer cet exercice pour découvrir comment fonctionnent les attaques de phishing.

** It looks like you clicked on something dangerous. **

Please complete this exercise to learn how phishing attacks work.

Why is beagle.prod.tda.link elevated exposure?

schwicky — Mon, 06 Sep 2021 15:21:11 +0000

I'm trying to figure out why I see dozen to hundreds of daily lookups of the domain beagle.prod.tda.link on all Security Reports and why it's classified as "elevated exposure". Even Fireboxes without DNSwatch do block accesses to that webserver and trigger an elevated exposure webblocker alert.
I couldn't find any valuable information about what this webservice does and whether it's really an indication of a possible attack. But maybe I don't really understand what the category "elevated exposure" means. Is it a malicious tracker?
Does anyone have more insights?

failed to connect always restarting

jibanez — Tue, 24 Aug 2021 00:19:54 +0000

Good day,

i am having problems using the vpn, it was working just fine a couple of days ago, now it always shows me an error and restarting the connection.

here's the log:

2021-08-24T08:18:14.732 Launching WatchGuard Mobile VPN with SSL client. Version 12.7.0 (Build 637701) Built:Mar 11 2021 16:10:22
2021-08-24T08:18:17.009 Requesting client configuration from -redacted-.dyndns.org:443
2021-08-24T08:18:17.031 FAILED:2021-08-24T08:18:17.132 FAILED:Cannot perform http request 12007
2021-08-24T08:18:17.132 failed to get domain name
2021-08-24T08:18:19.062 LaunchOpenVPN: openvpn full command-line(first 8 chars): "C:\Prog, length: 248
2021-08-24T08:18:19.062 LaunchOpenVPN: vpn config full path(first 8 chars): C:\Users, length: 60
2021-08-24T08:18:19.589 OVPN:>HOLD:Waiting for hold release:0

2021-08-24T08:18:19.667 OVPN:>LOG:1629764299,D,MANAGEMENT: CMD ''

2021-08-24T08:18:19.667 OVPN:>LOG:1629764299,D,MANAGEMENT: CMD 'hold release'

2021-08-24T08:18:19.668 OVPN:SUCCESS: hold release succeeded

2021-08-24T08:18:19.668 OVPN:>PASSWORD:Need 'Auth' username/password

2021-08-24T08:18:19.745 OVPN:>LOG:1629764299,D,MANAGEMENT: CMD 'username "Auth" "-redacted-"'

2021-08-24T08:18:19.745 OVPN:SUCCESS: 'Auth' username entered, but not yet verified

2021-08-24T08:18:19.746 OVPN:>LOG:1629764299,D,MANAGEMENT: CMD 'password [...]'

2021-08-24T08:18:19.746 OVPN:SUCCESS: 'Auth' password entered, but not yet verified

2021-08-24T08:18:19.746 OVPN:>LOG:1629764299,,MANAGEMENT: >STATE:1629764299,RESOLVE,,,,,,

2021-08-24T08:18:19.746 OVPN:>STATE:1629764299,RESOLVE,,,,,,

2021-08-24T08:18:19.747 OVPN:>LOG:1629764299,N,RESOLVE: Cannot resolve host address: -redacted-.dyndns.org:443 (No such host is known. )

2021-08-24T08:18:19.747 OVPN:>LOG:1629764299,,MANAGEMENT: >STATE:1629764299,RESOLVE,,,,,,

2021-08-24T08:18:19.747 OVPN:>STATE:1629764299,RESOLVE,,,,,,

2021-08-24T08:18:19.748 OVPN:>LOG:1629764299,N,RESOLVE: Cannot resolve host address: -redacted-.dyndns.org:443 (No such host is known. )

2021-08-24T08:18:19.748 OVPN:>LOG:1629764299,W,Could not determine IPv4/IPv6 protocol

2021-08-24T08:18:19.749 OVPN:>LOG:1629764299,I,SIGUSR1[soft,init_instance] received, process restarting

2021-08-24T08:18:19.749 OVPN:>LOG:1629764299,,MANAGEMENT: >STATE:1629764299,RECONNECTING,init_instance,,,,,

2021-08-24T08:18:19.749 Does not allow reconnectiong

thank you

*Edited out personally identifiable log lines. James C.

Queries answered by DNSwatch?

caleyfeli85 — Sat, 31 Jul 2021 14:20:24 +0000

could anyone chime in as to why my local DNS queries appear to be answered by these two IP-addresses? A quick search revealed that they seem to be related to DNSwatch, which I've never selected. All outbound DNS traffic (to port 53 and 853) except to one DNS resolver is blocked by a router firewall rule and DoH as well as DoT Servers are blocked by a blacklist. [removed link]
I've configured a VPN service as my DNS resolver that is unrelated to DNSwatch. Pihole has been working great, ads are blocked and a DNS leak test confirms my VPN provider as sole DNS service.

Any help is greatly appreciated. cheers!

Is DNSWatch login down?

greggmh123 — Tue, 20 Apr 2021 18:35:58 +0000

At 11:30AM Pacific time on April 20th, I am unable to log into DNSWatch and I get the following error.

This page isn’t working
dnswatch.watchguard.com took too long to respond.
HTTP ERROR 504

I can log into the WatchGuard Cloud, but not DNSWatch.

Gregg

How to tell WHAT content policy blocked something?

greggmh123 — Mon, 05 Apr 2021 18:10:44 +0000

I tried to reach account.samsung.com and got the following message:

"WEBSITE BLOCKED
account.samsung.com has been blocked by DNSWatch

This website was blocked because it's against your company's content policy."

I couldn't find "samsung" anywhere in my config, nor do I see Deny traffic to samsung in FSM traffic monitor, so how can I find exactly which content policy is involved in this block? I can't see it in the DNSWatch console either, but maybe I am not looking in the right place.

The one thing I despise about DNSWatch is that is doesn't tell on its block page exactly why it blocked something.

Gregg

DNSWatchGO for Chromebooks Beta

Ricardo_Arroyo — Fri, 26 Mar 2021 12:41:24 +0000

Greetings WatchGuard community! We are proud to announce the open Beta for the DNSWatchGO Chrome extension for Chromebooks. With the DNSWatchGO Chrome extension, you can extend the protection of DNSWatch to provide consistent policy enforcement and security protection when your users leave the safety of your network. Similar to the DNSWatchGO Client on Windows devices, the DNSWatchGO Chrome extension provides DNS-level protection for users with Chrome. When the Chrome browser opens a site, the Chrome extension queries the DNSWatch servers to check if the site is malicious.

To participate in this beta test, you must have:

A DNSWatchGO license (or trial license)
A Google Workspace (formerly known as G Suite) administrative account. This gives you access to the Google Admin Console where you manage Google services for people in an organization, school, or group.

At a high level, to get started:

Download the DNSWatchGO Chrome extension file from the DNSWatch web UI.
From the Google Admin Console, configure and deploy the DNSWatchGO Chrome extension.

To participate in the Beta just click here to visit the Beta Site for further instructions.

Again, we appreciate your help in beta testing this new feature. Thanks for your help in making our products better!

The WatchGuard Beta Team

Issue with DNSWatch and akamai servers: wrong IP resolved

netdiver — Thu, 04 Feb 2021 09:11:15 +0000

Good morning.
Since yesterday 3 of february 2021 around 15:30 CET we had problems in opening web pages hosted on Akamai CDN.
This morning we looked deeper in the problem and we found out that DNSWatch was the culprit:
with DNSWatch active, our DNS server replied with this IP for www.dell.com:
23.195.119.68
which is inactive and does not reply to ping.

without DNSWatch, the IP given for www.dell.com is
104.83.100.157
which is up and pinging.

The same thing happened with a lot of other sites hosted in Akamai CDN, e.g:
www.amazon.it
www.microsoft.com
www.oracle.com
www.walmart.com
www.hpe.com

none of those sites worked with DNSWatch activated. We were forced to deactivate this feature.

Anyone had the same problem?

Thanks in advance

DNSWatch certificate when using HTTPS inspection

Scott5297 — Sat, 15 Aug 2020 10:42:18 +0000

Greeting to all,

I am just in the process of setting up a new T40 firebox with Fireware 12.6.1 update 1 firmware.

I am testing HTTPS inspection and it seems to work well.

I have imported the web server certificate and the proxy authority certificate to the test machine. HTTPS websites work well and functions such as blocking an HTTPS website as a test succeed.

One cosmetic issue is that I get a certificate error when a https website is blocked by DNSWatch.

The certificate states "windows does not have enough information to verify this certificate" and "The issuer of this certificate could not be found."

Bypassing the certificate error correctly takes me to the DNSWatch blocking page.

I wonder if someone would please point me in the right direction to resolving this? [edit: Is it impossible to avoid the certificate error because the DNSWatch certificate doesn't belong to the website?]

Many thanks

Scott

Panda Adaptive Defense 360 - Web blocker - Dnswatch

user808 — Sun, 17 Jan 2021 18:07:45 +0000

Currently I have DNSWatch installed on a firebox which also has the Web blocker feature activated. I have hosts with Panda Adaptive Defense 360 and some with Panda AD 360 Advanced Reporting. (I have TRD hosts installed as well.)

Dnswatch, web blocker and Panda all have content category filters. I have web blocker activated and dnswatch enabled and have not configured Panda.

Which combination of these if any would be best to use and in what configuration

how can i tell which device triggered a block

davidneltzon — Fri, 15 Jan 2021 15:19:09 +0000

hello,
i need to know which computer triggered each block.

i got this from the report

Victim IP addresses Unavailable
Victim hostname Unknown"

Destination domains
paste[.]ee
Destination port 443

thanks,

Certificate for DNSWatchGO

jmsoares91 — Wed, 13 Nov 2019 14:28:37 +0000

Hi Guys,

When we install the DNSWatchGO client, everytime a block occurs we get a Certificate Error on the Browser.

Where can we download the DNSWatchGO Certificate Authoritity?

Should the client install the CA during the setup?

Thanks in advance